In
<2A1D4C86842EE14CA9BC80474919782E0111336D(_at_)mou1wnexm02(_dot_)vcorp(_dot_)ad(_dot_)vrsn(_dot_)com>
"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> writes:
Steve does have a point, there are email clients that display only the
display name and not the email address of an email user. So SPF is not the
last word on the phishing issue.
Yes, I very much agree. Anti-phishing systems *REQUIRE* changes to
the MUA. They also will likely need changes to MTAs. I think that is
way beyond the scope of anything we can deal with here.
SPF can validate an evelope-from during the SMTP session, or after the
email has been accepted if the MTA gives the return-path: (or similar)
header.
SPF does allow us to spam filter out strings such as E-Bay Customer Support
in the subject line if they are not from the real E-Bay Customer support. At
the moment that is not possible. Sure this is ad-hoc.
I disagree that the help that SPF provides to validating the From:
header is ad hoc.
So an authentic E-Bay email would look something like
From: admin(_at_)e-bay (E-bay Customer Support) +----+ +----+
|VRSN| |EBAY|
| C3 | | |
+----+ +----+
Would the From: header even need to be validiated? Couldn't you just
use s/mine and trigger off the person who signed the message?
-wayne
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡