On Thu, 12 Feb 2004, Greg Connor wrote:
It's the job of SPF to verify the envelope sender, and until recently we
didn't even bother with headers. If we do check envelope-sender, but it
turns out to be different from the four key headers we identified, what
happens then?
You probably hit an SRS forwarder. This happens a lot and should be
considered normal. SPF prevents people from getting millions of bounce
messages from spams. It does not prevent spam.
More specifically, what does this phrase mean exactly:
Mail User Agents (MUAs) SHOULD display, at a minimum, the
header sender's name and value when displaying the message body
Does "header sender" mean "envelope sender?" If so, then we are probably
good. But the archive messages you linked to seem to have a different idea
of "header sender".
No, it means header sender, i.e. the sender in the headers.
Here is a crazy idea... one that might take care of both aspects. What if
the SPF draft said something like this:
If the envelope sender is checked by SPF and the result is "pass" or
"unknown", the headers of the message SHOULD be checked to see if they
match the envelope sender. The SPF-checked envelope sender should match
the "header sender" as determined by this process (*insert process here*)
This would break SRS and forwarding.
I don't think messing with MUAs is a good idea. A large part of the
strength of this scheme is that it can be implemented on individual MTAs
without affecting the rest of the world. I have one domain with an SPF
record but no MTA implementation, and another with an MTA implementation
but no SPF record. Once we start requiring "everyone, including Microsoft
and Cisco" to do something, it won't happen.
S.
--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/