However Meng seems to be saying that SUBMITTER does not need to match
the header in RFC.2822 that is presented to the end users MUA as the
FROM address. He is quite adamant that the SUBMITTER address need not be
the address that the end user is presented with.
And there is no direct SPF checking of RFC.2822 headers.
So how does this stop phishing.
From: Daryl Odnert [mailto:daryl(_dot_)odnert(_at_)tumbleweed(_dot_)com]
Sent: Thursday, 29 July 2004 3:24 AM
To: Terje Petersen; IETF MARID WG
Subject: RE: alternate submitter syntax
SCENERIO-B: SUBMITTER parameter IS supported on MTA.
MAIL FROM = BOUNCE ADDRESS (NOT SPF TESTED)
SUBMITTER = OTHER ADDRESS (SPF TESTED)
RFC.2822.FROM = REPLY ADDRESS (NOT SPF TESTED)
And in this second scenario I think you are saying that the addresses
can all be different. Which does not seem to solve the phishing
So what am I missing here?
I think what you're missing is this, from
If the receiving SMTP server allows the connecting SMTP client to
transmit message data, then the server SHOULD determine the purported
responsible address of the message by examining the RFC 2822 message
headers as described in [SENDER-ID]. If this purported responsible
address does not match the address appearing in the SUBMITTER
parameter, the receiving SMTP server SHOULD reject the message and
when rejecting MUST use "550 5.7.1 Submitter does not match header."
Redwood City, California