Re: header algorithm for responsible sender selection
2004-02-13 00:57:32
--"David A. Wheeler" <dwheeler(_at_)dwheeler(_dot_)com> wrote:
Oh, I just realized, there needs to be a discussion about MUAs
when you're doing header checking. I suggest adding this
in the text about header checking after the algorithm
(whatever it is):
"It is important that end-users be able to view the data checked by SPF.
Thus, Mail User Agents (MUAs) SHOULD display, at a minimum, the
header sender's name and value when displaying the message body.
It is RECOMMENDED that Resent-From, Resent-Sender, From, and Sender
all be displayed when available while an MUA is displaying a message body.
It is also RECOMMENDED that users be able to display the value of
header sender when an MUA displays a summary of messages."
I've been unable to read the list for a while and I'm catching up. Sorry if
I missed something important... if so please tell me politely :)
It's the job of SPF to verify the envelope sender, and until recently we
didn't even bother with headers. If we do check envelope-sender, but it
turns out to be different from the four key headers we identified, what
happens then?
More specifically, what does this phrase mean exactly:
Mail User Agents (MUAs) SHOULD display, at a minimum, the
header sender's name and value when displaying the message body
Does "header sender" mean "envelope sender?" If so, then we are probably
good. But the archive messages you linked to seem to have a different idea
of "header sender".
Except... now we are depending on the MUA to display something that most
currently don't. I think it's a good idea for SPF adopters and supporters
to pick our battles, and I think we will have enough trouble with
forwarders without the added stress and headache of pushing on MUA
developers also.
So. Our problems are two-fold.
1. Check the headers against the envelope sender.
2. Display anything suspicious to the user somewhere in the MUA.
Here is a crazy idea... one that might take care of both aspects. What if
the SPF draft said something like this:
If the envelope sender is checked by SPF and the result is "pass" or
"unknown", the headers of the message SHOULD be checked to see if they
match the envelope sender. The SPF-checked envelope sender should match
the "header sender" as determined by this process (*insert process here*)
or by some similar method. If the SPF-checked envelope sender is different
from the header sender, the SPF receiving system SHOULD place a warning in
a header such as Received-SPF or SPF-Warning. The SPF receiving system MAY
also place a warning in a more visible place, for example, by adding
[possible forgery] to the Subject: line or display name part of the From:
line.
If the envelope sender is checked by SPF and the result is "fail" the best
action is to reject the message. However, if the message is being checked
after it is received, it is too late to reject the SMTP transaction, and
bouncing the message back is not recommended, since the sender info is
already known to be suspicious. In this case, the message might be passed
along to the recipient anyway (usually with a tag or held in a suspicious
items folder or both.) In this case, the SPF receiving system SHOULD place
a warning in a header such as Received-SPF or SPF-Warning. The SPF
receiving system SHOULD also place a warning in a more visible place, for
example, by adding [possible forgery] to the Subject: line or display name
part of the From: line.
In other words, we are limiting ourselves to language about the MTA or
automated filter and we don't require anything different from the MUA. If
we do make any recommendations about the MUA, they should be soft
recommendations, possibly something like this
In order to be SPF-aware, the MUA should show the user some indication of
the result of SPF processing. If the Received-SPF information shows a
failure or warning, the MUA SHOULD show the Received-SPF header in the
header area or in the body area above the actual body of the message. If
the Resent-Sender or Resent-From matched the envelope sender but the Sender
and From do not match, the Resent-Sender and Resent-From SHOULD be shown to
the user, either in the header area or in the body area above the actual
body. If the SPF result is "PASS" the SPF-aware MUA MAY provide some
indication of success, such as a check mark, or putting the SPF-verified
address in green, or similar. The MUA MAY provide a way to view more
information about the SPF status using a symbol or icon in the header
space, so that clicking it displays the Received-SPF information."
Anyway that would provide something for the MUA folks to chew on, but
doesn't require their active support for SPF to work
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
|
|