From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Thu Oct 7 23:37:29 2010 Date: Fri, 08 Oct 2010 15:38:12 +1100 From: Ben McGinnes <ben@adversary.org> To: Leen Besselink <leen@consolejunkie.net> Subject: Re: New hijacking - Done via via good old-fashioned Identity Theft Cc: nanog@nanog.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE085D76E6AF9BB6CCE824E1F Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 8/10/10 10:00 AM, Leen Besselink wrote:

...

=20 key@domain.tld for when you have a personal domain key-user@domain.tld for when you have a server which understand address=

...

extensions

Actually I think it's user+key@domain.tld for the second one. At least that's what I've seen for Postfix. Not so sure about other MTAs.

SendmMail 'invented' the 'plussed' extenstion to an address. Other MTAs mimic SendMail's behavior The '+key' is ignored for purposes of selecting the delivery mailbox username+anything gets handed to the LDA for final delivery to mailbox 'username',, _with_ the 'plus part' (i.e. 'anything, from above) available as an extra parameter. To selectively accept/discard on the plussed portion of the address, you either do it in th LDA (procmail, for example, makes this really easy), or you have to run a 'milter' that knows which plussed parts are valid for which users. For a mailserver that does -not- understand 'plussed' addresses, you can usually fake it out by putting the key as an extra elemnt of the host-name. e.g. user@key.some.dom.ain.tld. AFAIK eveery MTA accepts mail with a more-specific name than a name it has been explicitly told to accept (either for local delivry, or for forwarding) mail for.