On Friday 09 May 2003 12:06 am, william(_at_)elan(_dot_)net wrote:
Envelope "From:" is the worst case since most mailing lists use their own
mailfrom and do not change "From:" (do not assume that what you see in
outlook is what others would see or that its really how mailist messsage
looks like), so when your message arrives and mailfrom-aware recepient
server checks and sees that envelope "From:" is from domain that has
mailfrom record but connecting mailserver is not on list of those domain
outgoing mail servers, then it would reject that email - to deal with this
you have to whitelist maillist to let it through. But if you whitelist
maillist then spammer can use that and forge "mailfrom" to appear that
message is coming out of maillist and then your server will accept the
email eventhough it came from spammer and eventhough he did not have
right to use this envelope "From:".
I re-read my message again and my use of the terms evelope-from and mail-from
were just not done right. Where I said "envelope from" I meant the "mail
from:" part of the smtp transaction and where I said "mail from" I meant the
mail's "from:" header. But there really isn't any way people could know that
from reading my message. (I will blame the late hour but I should have been
more careful)
If the "from:" header doesn't match the "mail from" that the MUA should
indicate that to the user.
if the "mail from" doesn't pass the MX MAIL-FROM lookup then the mail should
be able to be denied.
If the "from:" header doesn't pass the MX MAIL-FROM lookup then a warning
might be in order but not a deny since that would disable mailing list
action.
Sorry for the confusion.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg