From: Seth Breidbart (sethb@panix.com)
Date: Wed Jun 02 1999 - 14:39:33 CDT
> If an injector is signing (as will probably be the case for most users) it's
> still fine as long as the injector, like all current injectors, won't
> re-use a message-id, at least during the history period. If AOL owns
> all message-ids matching <*@aol.com.O> what is the attack one can place
> on their messages, even within AOL?
AOL is big enough to be asynchronous, so unless the injector checks
the userid against the userid part of <*.userid@aol.com.O>, such an
attack is possible. (In fact, if I can predict the local part that
you'll be generating, I can prevent you from posting, even in a
synchronous system.)
Or, each injector can have its own part of the namespace, but that
prevents the user from generating the message-id.
Seth