spf-discuss
[Top] [All Lists]

RE: Using headers instead of SRS

2004-01-26 05:57:39
On Sun, 25 Jan 2004, Greg Connor wrote:

: > Sender: != return path (envelope).  Please do not equate them, or even
: > cosider them to be related; they're not.

: The supposition was that the envelope sender should match one of: Sender,
: From, Resent-Sender, Resent-From.

I don't see how.  Those are (as currently defined) unrelated bits of
information.

: My concern is that spammers will just change the envelope sender and pass
: through SPF, and everything else in the headers could be a joe-job.  Some
: MUAs don't even show Return-Path.

So?  Most ISPs already have extensive documentation on how to submit spam
reports with full headers, which would include Return-Path: as well as the
almighty Received:.  That's enough information to nail down the spamhaus in
question and reject, terminate, and/or prosecute depending on jurisdiction.
This is precisely where SPF gives the recipient/ISP leverage.

Why should we bend over backwards just because "user-friendly" MUAs won't
show a particular field?  They typically also don't show Resent-*: or
Sender: either, y'know.

: So, let me turn around and ask you for your ideas... How do we keep
: spammers from changing things so that the envelope sender doesn't match
: anything else in the headers?  How do we respond when they do?

Why should we keep them from doing so?  If it's their domain in the
envelope, that means *they can be stopped*.

-- 
-- Todd Vierling <tv(_at_)duh(_dot_)org> <tv(_at_)pobox(_dot_)com>

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
Wiki: 
http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/HomePage
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡