[mail-vet-discuss] secdir review
ofdraft-kucherawy-sender-auth-header-11.txt (fwd)
Murray S. Kucherawy
msk at sendmail.com
Thu Jan 31 15:10:26 PST 2008
Paul Hoffman wrote:
> That's not how I read the discussion on SecDir. In specific:
>
> At 9:09 AM -0500 1/29/08, Barry Leiba wrote:
>> [...] It seems likely that if this header should become popular,
>> malware would be
>> changed to take advantage of that, and to use compromised machines to
>> spoof
>> sender-auth headers within their own domains... so this is a real
>> threat that
>> needs to be addressed. And it seems to me that (1) is the right way
>> to do it.
>> So there should be something in the security considerations
>> describing this
>> problem, and suggesting (1) as a way to deal with it.
>
> That's more than a "security consideration".
The author of the review concurred with Barry's points, including that
last sentence, which seems to me to limit it all to a security
consideration.
More information about the mail-vet-discuss
mailing list