On Fri, 4 Jun 2004, Daniel Quinlan wrote:
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com> writes:
Yeah! customerservice(_at_)bigbank-phisher(_dot_)com sent me an email and
bigbank-phisher.com says that it's actually an email from
bigbank-phisher.com! Nevermind the fact that bigbank-phisher.com is NOT
bigbank.com.
No, the problem is that you can give SPF-correct information in the SMTP
envelope, set one or two non-displayed headers (Sender, Resent-From,
etc.) to be correct, but then set From: to be bigbank.com. Since From:
is not checked under the SPF/Caller-ID merge and since not all MUAs
display from, then it seems to be from bigbank.
Given that the purpose of SPF was to prevent joe jobs, why are we having
this discussion?
When you have a hammer, everything looks like a nail.
In this case, we seem to have a nail, and SPF has a hammer costume on. But
it isn't a hammer.
S.
--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/