On Tue, Jan 20, 2004 at 11:19:25PM -0600, Thor Kooda wrote:
|
| what if the system I was describing used the domain from the "From:"
| header, and ignored the envelope sender for verification?
|
| a legitimate company could still outsource its sending to a 3rd party,
| and the domain from the "From:" could still authorize/verify the
| message.
|
The problem with From: is this. Suppose you want to avoid phishing ---
you want email2004 to give human readers the assurance that if a message
shows
From: service(_at_)paypal(_dot_)com (Paypal Customer Service)
that it's really from PayPal. The above header is easy enough to
authenticate.
But a spammer can get around that by doing
From: verified(_at_)spammer(_dot_)com (service(_at_)paypal(_dot_)com)
And the part that's verified is the email address, not the comment part.
You say, OK, let's verify the comment part.
But you can encode the comment in UTF8, in ISO8859, in BIG5. and then
there are the service(_at_)paypa1(_dot_)com tricks.
This is why SPF doesn't want to get anywhere near the From: header.
Let smarter heads work that one out.
We're content to stop joe-jobs and protect the return-path.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡