ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: 03.1 Re: Forgery in SMTP

2003-12-27 00:01:31
from [Philip Miller] [Permanent Link] 
gep2(_at_)terabites(_dot_)com wrote:

[snip]

What actions can *YOU* take that would allow
verification/authentication of the "From:" during the SMTP transaction ?
I'm not convinced that it's necessarily practical and maybe not even desirable to even try.
First of all, there are many legitimate reasons for people to send E-mails through relays, foreign ISPs, or other services not usually associated with their From: address. They might be travelling (perhaps even internationally) at an Internet cafe, airport waiting lounge E-mail kiosk, cruise ship Internet access lounge, in-airplane E-mail service, public library, or post office. In each of these cases, they clearly want the replies to come to their own (perhaps "vanity") domain, and maybe they never will ever again even be at the point where the prior E-mail message was actually sent from.
We're talking about different 'From' addresses. None of the proposals we're working on deal with the 'From:' header as it appears in the message body. From what I've seen, it's possible that Yahoo's "Domain Keys" proposal might, but we don't know. All of the LMAP implementation proposals deal with the envelope from address, also know as the return path. That's the parameter to the MAIL command in SMTP. If travelling people want to set up their domain so that any source can use it in a MAIL FROM, they're welcome to, just as all recipients are welcome to block mail claiming to be from that domain.
What's more, consider the case of mailing lists (Yahoogroups is a good example) as "anonymizers" of sorts of messages. They forward messages (as individual messages or perhaps as digests) and these sorts of mailing lists are terribly important to large classes of internet users. Sometimes these messages bear the original sender's From address, sometimes they bear the list's From address.
Mailing lists are a different case. Most mailing lists rewrite the return path so that bounces are delivered to the mailing list server or administrator rather than random posters on the list. Any modern mailer that doesn't do this better have pretty damn good reasons not to. 

Philip Miller


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 6. Proposals - Computational - MSFT's "Penny Black", david nicol
Next by Date:  Re: [Asrg] 6. Proposals - Computational - MSFT's "Penny Black", Thomas Harold
Previous by Thread:  [Asrg] Re: 03.1 Re: Forgery in SMTP, gep2
Next by Thread:  [Asrg] Re: Forgery in SMTP, Matthew Elvey
Indexes:  [Date] [Thread] [Top] [All Lists]