[Yakov Shafranovich]
2. The "Sender" header is being verified over the "From"
header. While according to the RFC that is the agent
introducing the message into the email system, the
"Sender" header is not displayed in MUAs.
This may be one of the rare cases where Microsoft MUAs are "more RFC
compliant" than most others; Outlook 2000 and newer do in fact show a
message with a Sender header as "From <sender header> on behalf of <from
header>".
But then again, even the latest Outlook 2003SP1/ Outlook Express
versions do *not* handle the "resent-from" and "resent-sender" headers
that are part of the Microsoft PRA algorithm (and RFC-2822). Obviously,
MS will change this in future versions of their MUAs, but as it stands
now, sender ID will not be very effective at preventing phishing and
other types of forgery. (Outlook Express doesn't appear to do anything
with even the "Sender" header, in any version I've tried).
I always thought that rewriting the RFC-2822 "From" header at the MDA to
show the PRA in some fashion should be a MAY or SHOULD action in the
Sender-ID spec, to handle legacy MUAs that don't show the PRA fields to
the user.
--
Ryan