ietf-asrg
[Top] [All Lists]

Re: [Asrg] Spoofed mail addresses; envelope and header addresses !=

2004-02-12 13:54:04
On 2/4/2004 6:21 AM, Christopher Bird sent forth electrons to convey:

...
Computerworld and The Wall Street Journal both have the ability to email
articles to friends. A handy service indeed. The glitch is that when the email arrives in my inbox, the from address
is the address of the person sending it, not the publication itself.
Those guys have spoofed my email address if I am the sender. Clearly the
mail needs to be identified as being sent at my request, but I am
definitely not the sender. They are.

Therefore they should not forge headers to make it appear otherwise.
LMAP enforces this suggestion.
E.g. the email could come from "Christopher Bird" 
<articlebot(_at_)wsj(_dot_)com>, or
The envelope from could not match the header from.
(IMO, a discussion of what to do when envelope and header (e.g. From: or Sender:) addresses don't match is needed; probably there was one I missed on SPAM-L, ASRG or spf-discuss? I find it hard to swallow the LMAP discussion document's statement that it's not in scope; IMO LMAP should not allow forged email that appears to the end user (based on the header's From: to be from paypal just because the envelope address identifies the mail as being from phisher.dom. I'm looking for a detailed discussion of when what comparisons can and can't be safely used.) But they also may want to consider restricting its use, so it's less of an open relay. E.g. a spammer mustn't be able to send an article from Mr. Fiveentsapill Viagrapharmacydotcom to you (perhaps with a comment about how great the pharmacy and drug are, if that's also permitted by the WSJ system). Frankly, they should simply provide a mailto: link that inserts an url into the body, and ditch the whole rest of the system.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg