Here's maybe a simple question --
When a receiver's mailserver receives a message, it then figures out what IP
address the message came from, and makes sure that IP address is in the list of
"permitted" IP addresses for this sender.
Here's my question --
How does the receiver's mailserver know what IP address the message came from?
Just by looking in the message headers? Message headers are trivial to spoof.
There has to be something better.
There are exactly two ways to have sender verification compatible with smtp:
1- Base the verification on the *last* IP address of the *last* relay that
talks to the receiver. Basically have a Certificate Authority or something
like that that says "You have a message coming from 123.213.020.111? You can
trust that guy. It's real."
or
2- Encode something in the message that could only have been put there by the
real sender. Perhaps a signature key. Perhaps a Message ID that was created
by the sender's mailserver using a password. Or some other idea.
How do you propose SPF should handle this problem?
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦ç?2b¥yÈbox(_dot_)com