"Alan DeKok" <aland(_at_)ox(_dot_)org> writes:
If pobox has claimed responsibility for the message via the fields
used by PRA, then the MyWork MTA can verify that the message passes
the rules published by pobox.com.
If pobox does not claim responsibility, and just forwards the
message without touching the PRA fields, then the message must pass
the rules published by the responsible domain as determined by PRA.
Odds are, because the message now comes from pobox, that it won't.
So what happens if someone sets up a phisher friendly forwarding
system which does not perform PRA tests on incoming mail but which
generates valid PRA on the outgoing mail (ie adds a Resent-From:
and SUBMITTER)? This mail would pass all the tests but still be a
forgery.