Douglas Otis wrote:
On Wed, 2004-09-08 at 11:19, Yakov Shafranovich wrote:
Jim Fenton wrote:
At 11:45 AM 9/8/2004 -0400, Meng Weng Wong wrote:
Step 2: HELO bob.mta MAIL FROM:<alice> SUBMITTER=<bob> RCPT
TO:<robert> DATA Resent-From: <bob>
At step 2, the receiver can apply spf/HELO tests (or SPF Lite or
CSV or even IP based whitelisting) to bob.mta, and approve the
forwarder based on that.
The receiver can also apply spf/SUBMITTER tests to <bob>, and
approve the forwarder based on that.
Wouldn't this require a PRA check to verify that SUBMITTER is
consistent with the message headers, and wouldn't that be encumbered?
No, SUBMITTER would be compared against the Sender-ID records directly
without touching the headers.
This means there would be no record which identity was used to permit
the message. What an ideal way to spoof.
Let me rephrase that: SUBMITTER would be compared against the Sender-ID
records directly without *examining* the headers.
You can still record the result of that and the parameter in some header.
Yakov