New hijacking - Done via via good old-fashioned Identity Theft

From Thu Oct 7 23:37:29 2010
Date: Fri, 08 Oct 2010 15:38:12 +1100
From: Ben McGinnes <>
To: Leen Besselink <>
Subject: Re: New hijacking - Done via via good old-fashioned Identity Theft

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

> key@domain.tld for when you have a personal domain
> key-user@domain.tld for when you have a server which understand address=

> extensions

Actually I think it's user+key@domain.tld for the second one. At least
that's what I've seen for Postfix. Not so sure about other MTAs.

SendmMail 'invented' the 'plussed' extenstion to an address.
Other MTAs mimic SendMail's behavior
The '+key' is ignored for purposes of selecting the delivery mailbox
username+anything gets handed to the LDA for final delivery to mailbox
'username', _with_ the 'plus part' (i.e. 'anything, from above) available
as an extra parameter.

To selectively accept/discard on the plussed portion of the address,
you either do it in th LDA (procmail, for example, makes this really
easy), or you have to run a 'milter' that knows which plussed parts
are valid for which users.

For a mailserver that does -not- understand 'plussed' addresses, you
can usually fake it out by putting the key as an extra elemnt of the
host-name. e.g. user@key.some.dom.ain.tld. AFAIK eveery MTA accepts
mail with a more-specific name than a name it has been explicitly told
to accept (either for local delivry, or for forwarding) mail for.