https://bugzilla.wikimedia.org/show_bug.cgi?id=46640
--- Comment #18 from Jeff Green <[email protected]> --- A discussion started regarding VERP scheme in an email thread, seems to make sense to move that discussion to here. So here the gist of the discussion so far. Given a VERP address generally looks something like this: bounce-{$key}@wikimedia.org The prefix /^bounce-/ is used by the incoming MTA as a hook to route messages to the bounce processor, and $key is used by the bounce processor to figure out which wiki user is having delivery issues. We need to prevent an attacker from spoofing bounce messages and causing mass unsubscribes. We can accomplish by making $key secret, and not a simple hash that can be reversed or guessed. "something like an HMAC, with a secret key" -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
