spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: header algorithm for responsible sender selection

2004-02-13 00:57:32
from [Greg Connor] [Permanent Link] 
--"David A. Wheeler" <dwheeler(_at_)dwheeler(_dot_)com> wrote:

Oh, I just realized, there needs to be a discussion about MUAs
when you're doing header checking.  I suggest adding this
in the text about header checking after the algorithm
(whatever it is):

"It is important that end-users be able to view the data checked by SPF.
Thus, Mail User Agents (MUAs) SHOULD display, at a minimum, the
header sender's name and value when displaying the message body.
It is RECOMMENDED that Resent-From, Resent-Sender, From, and Sender
all be displayed when available while an MUA is displaying a message body.
It is also RECOMMENDED that users be able to display the value of
header sender when an MUA displays a summary of messages."
I've been unable to read the list for a while and I'm catching up. Sorry if I missed something important... if so please tell me politely :)
It's the job of SPF to verify the envelope sender, and until recently we didn't even bother with headers. If we do check envelope-sender, but it turns out to be different from the four key headers we identified, what happens then? 

More specifically, what does this phrase mean exactly:

Mail User Agents (MUAs) SHOULD display, at a minimum, the
header sender's name and value when displaying the message body
Does "header sender" mean "envelope sender?" If so, then we are probably good. But the archive messages you linked to seem to have a different idea of "header sender".
Except... now we are depending on the MUA to display something that most currently don't. I think it's a good idea for SPF adopters and supporters to pick our battles, and I think we will have enough trouble with forwarders without the added stress and headache of pushing on MUA developers also. 

So.  Our problems are two-fold.
1. Check the headers against the envelope sender.
2. Display anything suspicious to the user somewhere in the MUA.
Here is a crazy idea... one that might take care of both aspects. What if the SPF draft said something like this:
If the envelope sender is checked by SPF and the result is "pass" or "unknown", the headers of the message SHOULD be checked to see if they match the envelope sender. The SPF-checked envelope sender should match the "header sender" as determined by this process (*insert process here*) or by some similar method. If the SPF-checked envelope sender is different from the header sender, the SPF receiving system SHOULD place a warning in a header such as Received-SPF or SPF-Warning. The SPF receiving system MAY also place a warning in a more visible place, for example, by adding [possible forgery] to the Subject: line or display name part of the From: line.
If the envelope sender is checked by SPF and the result is "fail" the best action is to reject the message. However, if the message is being checked after it is received, it is too late to reject the SMTP transaction, and bouncing the message back is not recommended, since the sender info is already known to be suspicious. In this case, the message might be passed along to the recipient anyway (usually with a tag or held in a suspicious items folder or both.) In this case, the SPF receiving system SHOULD place a warning in a header such as Received-SPF or SPF-Warning. The SPF receiving system SHOULD also place a warning in a more visible place, for example, by adding [possible forgery] to the Subject: line or display name part of the From: line.
In other words, we are limiting ourselves to language about the MTA or automated filter and we don't require anything different from the MUA. If we do make any recommendations about the MUA, they should be soft recommendations, possibly something like this
In order to be SPF-aware, the MUA should show the user some indication of the result of SPF processing. If the Received-SPF information shows a failure or warning, the MUA SHOULD show the Received-SPF header in the header area or in the body area above the actual body of the message. If the Resent-Sender or Resent-From matched the envelope sender but the Sender and From do not match, the Resent-Sender and Resent-From SHOULD be shown to the user, either in the header area or in the body area above the actual body. If the SPF result is "PASS" the SPF-aware MUA MAY provide some indication of success, such as a check mark, or putting the SPF-verified address in green, or similar. The MUA MAY provide a way to view more information about the SPF status using a symbol or icon in the header space, so that clicking it displays the Received-SPF information."
Anyway that would provide something for the MUA folks to chew on, but doesn't require their active support for SPF to work 

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: specification 02.9.7 released, Greg Connor
Next by Date:  Re: some comments from the RISKS lists, Shevek
Previous by Thread:  Re: header algorithm for responsible sender selection, David A. Wheeler
Next by Thread:  Re: header algorithm for responsible sender selection, Shevek
Indexes:  [Date] [Thread] [Top] [All Lists]