spf-discuss
[Top] [All Lists]

Re: A hole in planned phishing-prevention?

2004-06-14 10:47:56
On Mon, Jun 14, 2004 at 12:11:17PM -0500, Seth Goodman wrote:
One problem is that mailing lists would have to change their practice
slightly.  They often use a slightly different bounce address than they put
in Sender:.  As they are mass mailers, it would not be difficult for them to
use the same address in both places, i.e. 
owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com,
albeit with the appropriate signature in MAIL FROM:, and redirect any
bounces to wherever they choose.

Mailing lists use VERP to accurately identify the address that caused the
bounce.  This allows them to not have to parse bounce messages to try to
determine which address bounced.

If they use eg. owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com in MAIL FROM: 
they would lose
this ability.  I don't think you'll find many mailing list operators would
choose to give up VERP's.  I might have missed it, but I don't see how your
proposal addresses this?

-- 
"Pulling together is the aim of despotism and tyranny. Free men pull in all
kinds of directions." -- Terry Pratchett