On Sun, 25 Jan 2004, Greg Connor wrote:
: Longer term, I would like to see some filters a la Spamassassin that
flag : as "suspicious" if Return-Path doesn't equal Sender:.
--tv+spf(_at_)duh(_dot_)org wrote:
Eh? That's a bad thing to flag. Consider:
1. User is on a mailing list, which (properly) sets Sender: to the mailing
list return path address.
2. The address subscribed to the list is a pobox.com address, or that of
some other aliasing service, which rewrites the envelope a la SRS.
3. The received mail at the destination mailbox flags your check.
Sender: != return path (envelope). Please do not equate them, or even
cosider them to be related; they're not.
Sorry, this was mentioned earlier in the thread (see Meng's message) but
got dropped by the time you replied.
The supposition was that the envelope sender should match one of: Sender,
From, Resent-Sender, Resent-From.
I would assert that at least one of these *should* match the envelope
sender... but that supposition would need to be tested over a large email
set.
My concern is that spammers will just change the envelope sender and pass
through SPF, and everything else in the headers could be a joe-job. Some
MUAs don't even show Return-Path.
It's not a problem in SPF itself, but our allegiance to the envelope sender
means we have to educate users to look for the Return-Path and report based
on that. This gets even harder if the Return-Path starts to *not* match
any other header.
So, let me turn around and ask you for your ideas... How do we keep
spammers from changing things so that the envelope sender doesn't match
anything else in the headers? How do we respond when they do?
Can SPF really claim that it has stopped joe-jobs if the return-path is
bad(_at_)spammer(_dot_)com (or worse, dont-care(_at_)nospf(_dot_)here(_dot_)com) but the From: address
is bgates(_at_)microsoft(_dot_)com (or worse, service(_at_)paypal(_dot_)com)?
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
Wiki:
http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/HomePage
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡