On Fri, Sep 03, 2004 at 06:25:21AM +0100, Graham Murray wrote:
|
| Rand Wacker <rand(_at_)sendmail(_dot_)com> writes:
|
| > As I said before, there is a large majority of mail that goes from large
| > commercial sites (or consumer ISPs) merely one hop to another large
| > commercial ISP, so the From: header will be successfully authenticated.
|
| In the case of sending from a large ISP (and that includes commercial
| sites who outsource email) that is not true. Unless the ISP does
| additional checking then Sender-ID (and SPF) still allows a customer
| of the ISP to forge the mail as coming from any other customer of that
| ISP.
My read of most ISPs is that they are willing to move in
this direction if it proves necessary. Many ISPs are
beginning to roll out (mandatory) SMTP AUTH. With that in
place, halting cross-customer forgery becomes a much more
likely proposition.