Todd Vierling <tv+spf(_at_)duh(_dot_)org> wrote:
On Sun, 25 Jan 2004, Greg Connor wrote:
The supposition was that the envelope sender should match one of:
Sender, From, Resent-Sender, Resent-From.
I don't see how. Those are (as currently defined) unrelated bits of
information.
Are they really? By specification, they are not exactly the same. But I don't
think they are unrelated.
My concern is that spammers will just change the envelope sender and
pass through SPF, and everything else in the headers could be a
joe-job. Some MUAs don't even show Return-Path.
So? Most ISPs already have extensive documentation on how to submit
spam reports with full headers, which would include Return-Path: as
well as the almighty Received:. That's enough information to nail down
the spamhaus in question and reject, terminate, and/or prosecute
depending on jurisdiction. This is precisely where SPF gives the
recipient/ISP leverage.
Why should we bend over backwards just because "user-friendly" MUAs
won't show a particular field? They typically also don't show
Resent-*: or Sender: either, y'know.
This is not about making the lives of spam *reporters* easier, but about making
it easier for regular users to *recognize* address forgeries. BTW, most MUAs I
know *do* show "Sender:", even Outlook does.
So, let me turn around and ask you for your ideas... How do we keep
spammers from changing things so that the envelope sender doesn't
match anything else in the headers? How do we respond when they do?
Why should we keep them from doing so? If it's their domain in the
envelope, that means *they can be stopped*.
But to create somewhat reliable reputation systems (RHSBLs, domain blacklists)
for SPF to actually do its part in the fight against spam, we need people to
*recognize* forgeries in the first place. Nobody, not even experts, will want
having to examine the full headers of *every* potentially address-forged
message to find out.
If SPF protects the envelope sender and thus the "Return-Path:" header, there
are only two basic ways to make the envelope sender available to regular users:
Change MUAs to display the "Return-Path:" header, or make the envelope sender
appear somewhere else that is displayed by MUAs.
I suggested the "Sender:" header, because I think it's conceptually the same as
the envelope sender, or could at least be made so without significant problems.
You just keep saying: "no, Sender: is not related to the envelope sender",
without showing actual examples where such a direct relation would be a real
problem.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
Wiki:
http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/HomePage
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)���v¼����ߴ���1I��-�F�qx(_dot_)com