On Monday, June 28, 2004 9:36 AM, Greg Connor wrote:
On Mon, 28 Jun 2004, Matthew Elvey wrote:
Only if you're assuming that the SUBMITTER is added following 'the
rules'. The spec doesn't say that mail with a falsified SUBMITTER
should be refused or discarded. (I hate all the
pussyfooting around
the discard option.)
Actually that was the original intent -- if it didn't get
added to the draft it probably should be. A message that
claims a certain SUBMITTER but doesn't have that address in
the right place should be rejected after DATA and should not
be accepted.
The spec does say this. From section 4.2:
If the receiving SMTP server allows the connecting SMTP client to
transmit message data, then the server SHOULD determine the purported
responsible address of the message by examining the RFC 2822 message
headers as described in [SENDER-ID]. If this purported responsible
address does not match the address appearing in the SUBMITTER
parameter, the receiving SMTP server MUST reject the message using
"550 5.7.1 Submitter does not match header."
If this needs some further clarification, please let me know.
Also, I have thought of a possible legal problem with
SUBMITTTER - The
US' YOU CAN SPAM bill, IIRC, forbids falsified headers. Is the
envelope part of the header? Arguably not. If not, will future
spammers be able to send email with falsified SUBMITTER info but
without falsified headers? OTOH, the headers are
misleading if they
don't match the SUBMITTER, just like a Subject that doesn't
describe
the body is misleading. So this is probably a non-issue.
The way it is defined, SUBMITTER needs to reflect one of the
headers. If the SUBMITTER says one thing and the headers
suggest PRA is different, I would hope it would be rejected.
If the questionable message is not rejected for some reason,
the MTA should probably insert something in the Received:
line or next to it that says "MTA claimed Submitter was x(_at_)x"
It should be rejected.