On Wed, 2004-04-07 at 10:59, Jim Ramsay wrote:
I propose a way of matching the Envelope to the Headers "within reason":
That is, if the domain is mostly the same, and the front-part is
mostly the same, consider it "first-class". For example, I think this
could be considered close enough to say that an email is "first-class":
Envelope: i(_dot_)am-bounce-return(_at_)watson(_dot_)jimramsay(_dot_)com
From: i(_dot_)am(_at_)jimramsay(_dot_)com
Reply-to: i(_dot_)am-other-mailbox(_at_)jimramsay(_dot_)com
Sender: lack(_at_)holmes(_dot_)jimramsay(_dot_)com
So how would you differentiate the above example from this one:
Envelope: i(_dot_)am-spammer(_at_)jimramsay(_dot_)com(_dot_)spammer(_dot_)net
From: i(_dot_)am(_at_)jimramsay(_dot_)com
Reply-to:
i(_dot_)am(_dot_)freshened(_dot_)on(_dot_)the(_dot_)spamlist(_at_)jimramsay(_dot_)com(_dot_)spammer(_dot_)net
Sender: i(_dot_)am(_at_)jimramsay(_dot_)com
Or something similar. Not enough similarities? Enough to consider it
'first-class'? I think that if your doing interesting things with your
envelope, reply-to, etc., then we shouldn't try to detect this and still
classify it as 'first-class', it would simply fall into the
'second-class' bucket and still be seen by the user as probably
legitimate mail. If we're getting into the business of classifying
mail, 'first-class' should be absolutely verifiable as legitimate and
anything else would be a lesser class. In the example of using C/R
systems, it's an unfortunate side-effect that the addresses don't match.
--
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.