On Sun, 25 Jan 2004, Greg Connor wrote:
: > Sender: != return path (envelope). Please do not equate them, or even
: > cosider them to be related; they're not.
: The supposition was that the envelope sender should match one of: Sender,
: From, Resent-Sender, Resent-From.
I don't see how. Those are (as currently defined) unrelated bits of
information.
: My concern is that spammers will just change the envelope sender and pass
: through SPF, and everything else in the headers could be a joe-job. Some
: MUAs don't even show Return-Path.
So? Most ISPs already have extensive documentation on how to submit spam
reports with full headers, which would include Return-Path: as well as the
almighty Received:. That's enough information to nail down the spamhaus in
question and reject, terminate, and/or prosecute depending on jurisdiction.
This is precisely where SPF gives the recipient/ISP leverage.
Why should we bend over backwards just because "user-friendly" MUAs won't
show a particular field? They typically also don't show Resent-*: or
Sender: either, y'know.
: So, let me turn around and ask you for your ideas... How do we keep
: spammers from changing things so that the envelope sender doesn't match
: anything else in the headers? How do we respond when they do?
Why should we keep them from doing so? If it's their domain in the
envelope, that means *they can be stopped*.
--
-- Todd Vierling <tv(_at_)duh(_dot_)org> <tv(_at_)pobox(_dot_)com>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
Wiki:
http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/HomePage
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡