On Fri, 6 Feb 2004 15:25, Chris wrote:
for privacy reasons they don't simply give out email addresses
So ebay posts the mail using the from address as ebay cust 1
therefore ebay cust 2 can reply to ebay cust 1 directly
this is in effect a spoofed return address
At the risk of being patronising, I need to point out that this is *not* what
we would call "spoofing". Here are the ABCs of email addressing.
There are two areas where email addresses are used: the "envelope", and the
"message headers". The "envelope" is that part which is negotiated in SMTP
using the "MAIL From:" and "RCPT To:" commands. The "message headers" are
that part of the message (transmitted in the DATA phase of SMTP) which
specify the message metadata, including certain address specifications, like
"From:", "To:", "Cc:", "Sender:", "Return-Path:", and various others. The
"message headers" are what the mail user gets to see, since the envelope data
is not transmitted in POP or IMAP.
"Spoofed mail addresses" refer specifically to the "MAIL From:" part of the
envelope. This is what LMAP-like proposals endeavour to validate. The "MAIL
From:" address is the one that a bounce should be directed to in the case of
a delivery failure part way through the relaying process. All the addresses
in the "message header" can also be fabricated at whim by the sender (and are
usually false in the case of spam or viruses). I don't know of any proposals
to validate these header fields.
Please note that there does not need to be *any* relationship between the
envelope addresses and the "From:", "To:", and "Cc:" headers -- not even when
standards are followed to the letter. In the case of the eBay example, eBay
is quite at liberty (protocol-wise) to send mail in which the "From:" header
is an eBay customer's address, while the "MAIL From:" envelope address is an
eBay address.
Regards,
TFBW
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg