Mailing List Archive: Problems with interaction of SRS and Challenge/Response

As a followup to my previous message on the interaction of SES and
similar schemes with other anti-spam technology, there are also
similar issues with SRS that need to be addressed.

If a message is sent through an SRS forwarder to a system with employs
a challenge/response system such as TMDA, each message will appear to
be from a new sender, and will generate a new challenge (see my
previous message for more discussion).

I'm not immediately sure what the solution is. X-Primary-Address
doesn't work to fix this, for two reasons:

1. It's probably unreasonable to require all senders to add an
X-Primary-Address header to all mail they send, just in case it
gets forwarded.

2. It wouldn't help, even if they did, since the domain in the
X-Primary-Address header wouldn't match the domain in the envelope
sender, so TMDA would ignore the header.

There is a similar problem with the interaction with greylisting
systems.

Any thoughts? (And apologies if this has been discussed before.)

-roy

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

Roy Badami <roy@gnomon.org.uk> [2004-02-28/16:15]:
> I'm not immediately sure what the solution is. X-Primary-Address
> doesn't work to fix this, for two reasons:
>
> 1. It's probably unreasonable to require all senders to add an
> X-Primary-Address header to all mail they send, just in case it
> gets forwarded.
>
> 2. It wouldn't help, even if they did, since the domain in the
> X-Primary-Address header wouldn't match the domain in the envelope
> sender, so TMDA would ignore the header.

Yes. I think TMDA needs a feature which allows it to do substring
matching on selected forwarding domains. Ie.

Return-Path: yyyyyyyyyyy+xxx.com+xxx@yyyyyyyyy.net
X-Primary-Address: xxx@xxx.com

Then the TMDA user would have to add yyyyyyyyy.net to TMDA's list of
forwarding domains, and apply substring matching, ie. if both the local
part and the domain of X-Primary-Address appear in the local part of the
envelope return path, and the envelope return path has a domain listed
in the list of forwarding domains, then honor X-Primary-Address.

The alternative would be to add a X-Primary-Address like
xxx.com+xxx@yyyyyyyyy.net, which would be constant for mail forwarded
through the same machine from the same sender. This might work without
adding code to TMDA, but it is such an ugly hack with unsure
implications, and would get complicated with multiple hops, that I would
not dare doing this.

I strongly feel the X-Primary-Address should remain the real address of
the sender, so what I do with my RPR scheme is I add an
X-Primary-Address header containing the original unrewritten envelope
return path if no X-Primary-Address header was present; if it was
present, I just preserve it. By doing this I depend on the TMDA folks to
make things work within TMDA.

But I think the TMDA folks should be able to decide which is the right
thing to do, so I think this should be discussed with them, not here.

Cheers,
Dan

--
Daniel Roethlisberger <daniel@roe.ch>
GnuPG key ID 0x804A06B1 (DSA/ElGamal)

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com