View Issue Details
|Main CAcert Website
|0000826: Auditing features for fighting abuse of CAcert systems in regard of adding domain/email addresses
CAcert Inc. and its vicarious agents should update their systems to be able to track abuse considering the comments from the discovery which also have been extended and forwarded to cacert-devel.
Thinking about this more generally, from arbitration point of view, the process of adding domains (and email addresses) has to be more auditable. Software team is encouraged to provide input on current implementation or development efforts to rethink the procedure described here. Each automatic mail sent out has to contain an unique identifier by subject and sender/return address. So if a mail is returned CAcert itself can identify: what domain/email, what account, when a possible abuse was tried to be commited. Depending on the volume this handling can be done by support or has to be automated. This also requires a log of the ping mail actions to be kept to identify abuse. The domain/email address additions/verifications for me require auditing functionality to identify abuse and so to protect CAcert from abuse in the long term.
When sending this mail out it should contain more
information about reporting abuse (for recipients who do not have added
the domain themselves). Also the web page which opens when the link is
clicked should be more explaining.
|No tags attached.