Peter Sergeant <pete(_at_)clueball(_dot_)com> wrote:
Assuming that I'm using a web-based email system that ties me
inextricably to their email address. I happen to access my email via a
web-system when travelling, where normally I access it through an MUA on
my machine - in this case, and in the case where I ask a third party to
send an invite or an article in my name, the software sitting on the
web-server is acting as an MUA. I do not see where the distinction
between 'normal' and web-based MUA lies that makes email originating
from one spam, and not the other.
It doesn't.
The site offering 'send a friend this link' allows you to type in any
From address, and forges a message from you.
You say 'forges', but isn't this exactly what any MUA does? I can
configure 'mutt' to send email from you - this doesn't mean that
legitimate mail I send from 'mutt' is also by definition spam.
Most MUAs can send mail "from" anyone. But since that mail goes
through an MTA, that MTA can control, validate, or accept
responsibility for the "from" line.
If your MTA is "example.com", and your MTA is sending as
"user(_at_)example(_dot_)com", it's trivial for the recipient to tell that the
mail is probably authorized. If your MUA is sending as
"user(_at_)hotmail(_dot_)com", then the recipient *cannot* tell if it was
authorized.
Since there is no technical way for the recipient to verify that you
authorized that message, there is no technical difference between it,
and simple forged spam.
Where does this assumption come from? Many online content providers
these days require you to log in.
So? How the heck does the recipient know that a message from
"user(_at_)example(_dot_)com", which came through the MTA for "cnn.com", is
actually associated with that user? Even CNN may not know it.
Either the web site should produce an email that's easy for the end-user
to send, or the source address should belong to the source of the email
- the website.
I believe this conclusion is based on flawed logic.
I don't see why.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg