spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: A hole in planned phishing-prevention?

2004-06-14 10:25:20
from [Seth Goodman] [Permanent Link] 
From: Tony Finch
Sent: Monday, June 14, 2004 10:52 AM


On Fri, 4 Jun 2004, Seth Goodman wrote:


That gets rid of the Sender parameter.  Sender is automatically
validated
when we validate MAIL FROM: on the first hop.  OnBehalfOf is really the
From: header and that's a sticky question.  Does anyone outside the same
domain _really_ send mail in anyone else's behalf anymore, aside from
mailing lists?  I can honestly say that I have never sent mail
in someone
else's behalf and have never received a non-list message sent in someone
else's behalf.  Someone will probably send me one now so that I
can't make
that claim anymore :)


This message is an example, though it's me using my facilities at work to
send a message on behalf of me in a personal capacity. (My personal email
domain is hosted at work for testing purposes.) This kind of distinction
between a single user's multiple role addresses is very common.


Well, the list munged that for you as it overwrote the Sender: address with
its own:

<...>
Date: Mon, 14 Jun 2004 16:51:42 +0100
From: Tony Finch <dot(_at_)dotat(_dot_)at>
<...>
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] A hole in planned phishing-prevention?
<...>
Sender: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Precedence: list
Reply-To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
<...>

But you have made the point.  If you had sent me this message directly, it
would have been as you describe, your business address as Sender: and your
personal address as From:, so this case does have to be dealt with in any
scenario.  I would still argue that the Sender: address is the one that
bounces should go to, since it is, in general, unverifiable that the party
who owns the From: address authorized this mail on their behalf.  In your
example, the relationship is obvious, but not so in a forgery.  This is also
congruent with SPF idea:  whomever sends mail takes responsibility for it.
I think that should include bounces.  If so, the MAIL FROM: would be
identical to Sender:, except that MAIL FROM: is signed.

--

Seth Goodman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: A hole in planned phishing-prevention?, Seth Goodman
Next by Date:  Re: AOL to ESPs: Comply with SPF, Or Else, Tim Meadowcroft
Previous by Thread:  RE: A hole in planned phishing-prevention?, Tony Finch
Next by Thread:  RE: A hole in planned phishing-prevention?, Michel Py
Indexes:  [Date] [Thread] [Top] [All Lists]