On Sat, Apr 13, 2002 at 06:51:35AM +0200, Tony L. Svanstrom wrote:
> Just to point out the blatantly obvious to most, nobody should use
> this system-wide without changing the lines to include some simple
> rudimentary per-user password... unless you want one user to be
> able to cause another user's mail to be junked (at best... if you're
> not using spamd, then a custom rule can be defined in a user prefs
> turning this into a potential remote access hole[1]).

Absolutely.  I meant to put in, and I don't know why I forgot: this is
a proof-of-concept snippet, not what you'd want to roll out to all of
your users.  Sorry about that.  I wrote this up right before going to
bed last night. <G>

I thought about what security one could put into the rules, but couldn't
come up with anything I really liked:

- Verify the "From:" header?  Too easy to fake.
- Specify a password on the subject line?  Likely to have users with
  bad passwords, or reusing important passwords, or ...  It would also
  be sent around in cleartext.
- Use PGP/GPG to sign the messages.  Secure, but hard to implement since
  most users don't use/have access to these programs.


I think the version that I'm going to end up with will avoid email
altogether.  Probably some form of username/password/SSL protected
website where one can deal with all the configuration stuff.

The email version is a good idea if you're just a user and want to set
something up for yourself, but there are better ways to do it.

-- 
Randomly Generated Tagline:
Linux: Because a PC is a terrible thing to waste.
 (By [EMAIL PROTECTED], Mark Komarinski)

_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to