ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: when spoofing isn't

2004-03-18 22:01:11
from [Mark C. Langston] [Permanent Link] 

On Thu, Mar 18, 2004 at 07:26:05PM -0800, Dave Crocker wrote:

Meng,


MWW> |   Could you provide us with en example of what you view as legitimate
MWW> | spoofing of RFC2821 MAIL FROM and RFC2822 header From:?

MWW> Legitimate spoofing of RFC2821 MAIL FROM:

Dictionary.com:

   tr.v. spoofed, spoof?ing, spoofs

   1. To deceive.

"legitimate spoofing" is an oxymoron.


MWW> - web-generated email (I log in to eBay and send mail using eBay's web
MWW>   UI to another eBay member; I want to see bounces.)

That's not spoofing.  It is entirely fine for you to do it and you are
not deceiving anyone. 


Except when it isn't fine to do it.  

I may not articulate this well, so if the following is confusing, please
ask for clarification.

If the service provider has clauses in their acceptable use policy (as
many seem to, these days) that specify that mail headers may not be
molested, it would seem that the above would indeed be considered
"spoofing", because you're deceiving the recipient...but only in the
eyes of the service provider.  The service provider expects outgoing
mail to have the account and domain name given to the user in the
RFC2822 From: header.  When the recipient receives mail from that
service provider's MTA, with the service provider's HELO and RFC2821
ENVELOPE-FROM, but with RFC2822 headers that do not reflect use of the
service provider's services, the service provider may infer that the
sending entity was attempting to deceive the recipient.

Deception appears to be relative.  

I agree that "[il]legitmate spoofing" is an awkward term, but there are
four parties with an interest in the identifying information attached to
an outgoing email:  The sending entity, the sending entity's provider,
the recipient's provider, and the recipient.   Any one of these may
consider alteration of identifying information an attempt at deception
(consider the case in which the sending entity's ISP substitutes the
entity's account name and the ISP's domain name in the From: header of
outgoing email, overwriting whatever the sending entity had put there).

On a somewhat related note, it would seem we are moving towards
requiring all outbound email to be routed through authorized MTAs, and
doing away with the ability to connect directly to a recipient's MX to
send an email.  I'm not bringing it up because I necessarily view it as
a bad thing; I'm unsure how prevalent this behavior still it, and
whether it's something to keep in mind.


-- 
Mark C. Langston                                    Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org                                       
mark(_at_)seti(_dot_)org
Systems & Network Admin                                SETI Institute
http://bitshift.org                               http://www.seti.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: sender vs author, channel vs object, designated sender vs crypto signatures, Mark C. Langston
Next by Date:  Re: Why we should choose the RFC2821 MAIL FROM/HELO identities, Yakov Shafranovich
Previous by Thread:  when spoofing isn't, Dave Crocker
Next by Thread:  Re: when spoofing isn't, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]