On Fri, Mar 19, 2004 at 12:07:32PM -0800, Greg Connor wrote:
My guess is that RFC2821 MAIL FROM will match From: or Sender: most of the
time. But, spammers/phishers are crafty- if MAIL FROM / Return-Path
validation starts in earnest, they may start to diverge from this.
Spammers will change their behavior a lot faster than admins will update
their normal MTAs. If we want to validate RFC2822 From: address as Phase
2, let's start this research now. If we can anticipate the logical "next
move" by the spammer we can be ready.
But here, you assume that the RFC2822 identities would be the logical
next target. I'd think that the spammers would be more likely to take a
less subtle approach and try to subvert the authorization mechanism. In
the case of several approaches, this would mean DNS poisoning, denial of
service attacks against nameservers, and other such trickery.
Mark C. Langston Sr. Unix SysAdmin
Systems & Network Admin SETI Institute