https://bugzilla.wikimedia.org/show_bug.cgi?id=46640

--- Comment #18 from Jeff Green <jgr...@wikimedia.org> ---
A discussion started regarding VERP scheme in an email thread, seems to make
sense to move that discussion to here. So here the gist of the discussion so
far.

Given a VERP address generally looks something like this:

bounce-{$key}@wikimedia.org

The prefix /^bounce-/ is used by the incoming MTA as a hook to route messages
to the bounce processor, and $key is used by the bounce processor to figure out
which wiki user is having delivery issues. 

We need to prevent an attacker from spoofing bounce messages and causing mass
unsubscribes. We can accomplish by making $key secret, and not a simple hash
that can be reversed or guessed. 

"something like an HMAC, with a secret key"

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to