On Fri, 13 Feb 2004, Greg Connor wrote:
On Thu, 12 Feb 2004, Greg Connor wrote:
Here is a crazy idea... one that might take care of both aspects. What
if the SPF draft said something like this:
If the envelope sender is checked by SPF and the result is "pass" or
"unknown", the headers of the message SHOULD be checked to see if they
match the envelope sender. The SPF-checked envelope sender should match
the "header sender" as determined by this process (*insert process
here*)
--Shevek <spf(_at_)anarres(_dot_)org> wrote:
This would break SRS and forwarding.
I don't think messing with MUAs is a good idea. A large part of the
strength of this scheme is that it can be implemented on individual MTAs
without affecting the rest of the world. I have one domain with an SPF
record but no MTA implementation, and another with an MTA implementation
but no SPF record. Once we start requiring "everyone, including Microsoft
and Cisco" to do something, it won't happen.
Actually I think we are in agreement here, though the overall tone of your
message suggests that you disagree. So, please let me know if I didn't
understand you correctly.
BUT, can we think of another way to warn the user of a possible forgery?
My feeling is that SPF should warn the user if the message is accepted by
SPF based on the invisible envelope sender or the nearly-invisible
Return-Path, but the From and Sender are totally different. This comes
back to the topic of messages like this:
MAIL FROM: bad(_at_)spammer(_dot_)com
DATA
From: service(_at_)paypal(_dot_)com
Subject: Your account is expiring
Ah, now I understand what you're saying. It's a warning to the user, not a
requirement for interoperability. Yes, we are in full agreemenent.
S.
--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/