On Wed, 21 Jan 2004, Meng Weng Wong wrote:
On Tue, Jan 20, 2004 at 11:19:25PM -0600, Thor Kooda wrote:
| what if the system I was describing used the domain from the "From:"
| header, and ignored the envelope sender for verification?
|
| a legitimate company could still outsource its sending to a 3rd party,
| and the domain from the "From:" could still authorize/verify the
| message.
The problem with From: is this. Suppose you want to avoid phishing ---
you want email2004 to give human readers the assurance that if a message
shows
[ snip ]
But a spammer can get around that by doing
From: verified(_at_)spammer(_dot_)com (service(_at_)paypal(_dot_)com)
And the part that's verified is the email address, not the comment part.
That is correct, the part we want to verify is the email address, not
the comment.
If the MUA displays the comment in a misleading manner, then how is that
not an issue with the MUA?
We're content to stop joe-jobs and protect the return-path.
how does the hash+sign (w/key in dns) system not protect against
joe-jobs and still allow full, unmodified usage of the envelope sender?
--
Thor Kooda
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡