ietf-mxcomp
[Top] [All Lists]

Re: So ... did Dewey beat Truman?

2004-08-07 04:46:46

Frank Ellermann <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> writes:

No, with SPF/FROM-HDR they will delete their sender policy.
Users want to use "their" mailbox address in From: headers,
even if it doesn't match the MAIL FROM.

[snip]

The typical user cannot define his own personal sender policy,
just like a typical user cannot define his own personal REJECT
rules.  Big ISPs won't offer this, it's too expensive and too
complex.

But will the 'typical' big ISP user want to use a From: address which
is different from the ISP allocated (MAIL FROM) address? If the
customer wants to define his own sender or reject policy or use his
own domain then he always has the option of using a mail hosting
service or moving to a smaller ISP which does offer this.

For larger companies, especially those like financial institutions who
are likely targets of phishing, it would be to their advantage to
ensure that all mail they send out has their domain in all of the MAIL
FROM, EHLO, and From:. The current practice I have seen of well known
companies sending out (legitimate) mailshots (to customers) with a
MAIL FROM and EHLO of somepr-or-marketting-company.com with From:
someuser(_at_)wellknowcompany(_dot_)com does not help at all in the fight 
against
phishing.