[Top] [All Lists]

Re: Anti-Spoofing Technology

2005-04-20 06:23:09

The problem with the rfc2821.mailfrom address is that it often is highly UNrelated to the rfc2822.from. There might be a logical relationship, but
nothing explicitly similar between the strings.

it's also the case that neither rfc2821.mailfrom or rfc2822.from necessarily have anything to do with the location to which the message was submitted. nor is it necessarily the case that rfc2822.from identifies the person who submitted the message.

people often seem to want to cast this as an argument about which field should be authenticated. overloading either rfc2821.mailfrom or rfc2822.from is harmful. the right field to associate with the identity of the originator would be rfc2822.sender except that that field is so widely misused that it's useless in practice.

the right way to use rfc2821.mailfrom or rfc2822.from is not to ask "is this the person who sent the message?" or "did this message come from the right place?" but "did the originator have permission to use this address?"

<Prev in Thread] Current Thread [Next in Thread>