ietf-mxcomp
[Top] [All Lists]

RE: draft-ietf-marid-submitter-01.txt

2004-06-28 11:09:36

On Monday, June 28, 2004 9:36 AM, Greg Connor wrote:

On Mon, 28 Jun 2004, Matthew Elvey wrote:

Only if you're assuming that the SUBMITTER is added following 'the 
rules'.  The spec doesn't say that mail with a falsified SUBMITTER 
should be refused or discarded.  (I hate all the 
pussyfooting around 
the discard option.)


Actually that was the original intent -- if it didn't get 
added to the draft it probably should be.  A message that 
claims a certain SUBMITTER but doesn't have that address in 
the right place should be rejected after DATA and should not 
be accepted.


The spec does say this.  From section 4.2:

   If the receiving SMTP server allows the connecting SMTP client to
   transmit message data, then the server SHOULD determine the purported
   responsible address of the message by examining the RFC 2822 message
   headers as described in [SENDER-ID].  If this purported responsible
   address does not match the address appearing in the SUBMITTER 
   parameter, the receiving SMTP server MUST reject the message using 
   "550 5.7.1 Submitter does not match header."

If this needs some further clarification, please let me know.


Also, I have thought of a possible legal problem with 
SUBMITTTER - The 
US' YOU CAN SPAM bill, IIRC, forbids falsified headers.  Is the 
envelope part of the header? Arguably not.  If not, will future 
spammers  be able to send email with falsified SUBMITTER info but 
without falsified headers?  OTOH, the headers are 
misleading if they 
don't match the SUBMITTER, just like a Subject that doesn't 
describe 
the body is misleading.  So this is probably a non-issue.


The way it is defined, SUBMITTER needs to reflect one of the 
headers.  If the SUBMITTER says one thing and the headers 
suggest PRA is different, I would hope it would be rejected.  
If the questionable message is not rejected for some reason, 
the MTA should probably insert something in the Received: 
line or next to it that says "MTA claimed Submitter was x(_at_)x"


It should be rejected.