[Top] [All Lists]

RE: Anti-Spoofing Technology

2005-04-17 18:22:01

 I had not yet looked at RFC 2822, but I have now pulled a copy and I am
 taking a look at it.

 What I am really thinking about is the mailbox designated by the "From:"

 I know that when a message is being transmitted between servers, it is
 really far too late to make any determination as to the validity of the
 "From:" header.

Not necessarily.  That is what the domainkeys and iim efforts are addressing, 
though not within smtp, per se.

 However, it seems to me that when a message first enters the mail system
 (i.e., an ISP SMTP server receives a message from a client of that ISP),
 validation of the return address could be required.  

The problem with the rfc2821.mailfrom address is that it often is highly 
UNrelated to the rfc2822.from.  There might be a logical relationship, but 
nothing explicitly similar between the strings.  

Specifically, the
 "From" mailbox specified in the message header could, pursuant to an SMTP
 extension, be validated against a list of mailboxes allocated by the ISP
 to the client with whom the SMTP server is in session.

This might be useful for the submission segment, where the client is required 
to be related to the server, but not useful later in the MTA sequence.  As 
already noted in the thread, the SMTP Auth mechanism probably gives you waht 
you need, although not explicitly required to be the same as the From field.

More generally, the problem with tieing a user-level address to a 
transfer-level registration is that it creates an administrative nightmare, 
for many scenarios, because it requires administrative effort, every time the 
path changes.  Since email is a form of packet-switching, dynamic changes to 
paths are usually considered to be an essential feature.

  Dave Crocker
  Brandenburg InternetWorking
  dcrocker  a t ...

<Prev in Thread] Current Thread [Next in Thread>