--- Comment #18 from Jeff Green <> ---
A discussion started regarding VERP scheme in an email thread, seems to make
sense to move that discussion to here. So here the gist of the discussion so

Given a VERP address generally looks something like this:


The prefix /^bounce-/ is used by the incoming MTA as a hook to route messages
to the bounce processor, and $key is used by the bounce processor to figure out
which wiki user is having delivery issues. 

We need to prevent an attacker from spoofing bounce messages and causing mass
unsubscribes. We can accomplish by making $key secret, and not a simple hash
that can be reversed or guessed. 

"something like an HMAC, with a secret key"

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to