Here's maybe a simple question --
When a receiver's mailserver receives a message, it then figures out what IP
address the message came from, and makes sure that IP address is in the list
of "permitted" IP addresses for this sender.
Here's my question --
How does the receiver's mailserver know what IP address the message came
from? Just by looking in the message headers? Message headers are trivial
to spoof. There has to be something better.
There are exactly two ways to have sender verification compatible with smtp:
1- Base the verification on the *last* IP address of the *last* relay that
talks to the receiver. Basically have a Certificate Authority or something
like that that says "You have a message coming from 123.213.020.111? You
can trust that guy. It's real."
or
2- Encode something in the message that could only have been put there by
the real sender. Perhaps a signature key. Perhaps a Message ID that was
created by the sender's mailserver using a password. Or some other idea.
How do you propose SPF should handle this problem?
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡