easy way to confirm email validity

Henry Hertz Hobbit hhhobbit at securemecca.net
Fri May 25 00:30:40 CEST 2007


Henry Hertz Hobbit wrote:

<SNIP>

As an aside, if you are concerned about DNS cache server
poisoning, then take the IP address and stick it into the
hosts file (make sure hosts come before DNS in the
nsswitch.conf file in nix machines).  If nothing else it
stops the chatter happy Zone Alarm firewall from querying
for its IP address every five seconds.  The host / domain
name has more than one IP address?  randomly pick one of
them.  Check back that they are the same but not every five
seconds. Try every six hours for a week or so until all
the DNS TTLs have timed out.  djbdns anybody?

I am interpreting your statement as saying all of the people
you will be sending to are only moderately interested in
verification rather than paranoid, and that they will all be
using Windows. Correct me if I am wrong.  If the conditions
are not these, the next statement has NO meaning.

Now that we know a little better what you want to do (just one
way verification of emails with them verifying you but not
vice versa) you MAY be best served by using X.509.

I really don't like the idea of that web verification scheme.
Once you look at X.509 you will see that is better.  I have
had mail redirects in the past week from several universities,
and one of them was from MIT!  It is just too easy for Mallory
to say "click on this link" to verify, and back we go to
phishing 101.  In other words, there is no substitute but for
the people who are getting your messages to assume some of the
responsibility for verification themselves.  One of the key
things in Bruce Schneier's security service are people
monitoring what is going on.  The people receiving your
messages need to assume some of the responsibility themselves.

HHH




More information about the Gnupg-users mailing list