Hi there Stuart,
I't will be on the headers surely, but I think the best approach on this
case (when Return-Path is different from the From Header) is to throw
the Return-Path in the From: feader and throw the old From: (forgable)
to the X-Whatever header. So, the common user will see who sent the
message,
sentto-6627711-107893-1091201205-user=example(_dot_)com(_at_)returns(_dot_)groups(_dot_)yahoo(_dot_)com
for example. If he expands the headers he will see the X-Whatever with
the From: he used on the DATA part. In my opinion this will avoid
completly my users to get Scam's from SPF publishing domains, since for
the common user, that doesn't even know whats a message header is, what
he sees on his MUA is the FROM. If it comes from support(_at_)hisbank(_dot_)com
there is a good chance he will trust it.
I really think this approach, in combination with SPF, would shield us
all from SCAM's, what do you think? Any flaws on this thought? *8)
Best regards,
------------------------------------------------
Rodrigo Afonso
rafonso(_at_)rits(_dot_)org(_dot_)br
Gerente TI
RITS - Rede de Informações para o Terceiro Setor
------------------------------------------------
http://www.rits.org.br
Rua Guilhermina Guinle, 272/6º Andar
Rio de Janeiro/RJ - CEP: 22270-060
Tel: (21) 2527-5494 / Fax: (21) 2527-5460
Stuart D. Gathman wrote:
On Fri, 30 Jul 2004, Rodrigo F Afonso wrote:
But what if, only when the Sender-Envelope email address is different
from the From: header email address, we change the From: header to the
Sender-Envelope, forcing the mail clients to see who really sent the
message, and put the "user inserted" From: Header on other X-whatever
header so at least the common user, that doesn't understand nothing
about SPF and so on, sees that a message that is sent from their Bank
for example, didn't come directly from them, but from another sender?
Wouldn't that be more reasonable? I mean, if I get an email sent on my
behalf by someone that isn't me I wan't the person receiving it at least
seeing who sent it no just putting my email up there at the From on my MUA.
What do you think on that?
That sounds like a reasonable approach. It does not correspond to any
standard, but it will only affect users behind your MTA. I use pine
for my MUA, so I have no problem seeing all headers by toggling 'h' :-)
Will your users MUA show them the X-SentBy (or whatever) header even
though it won't show them the Sender or Return-Path header?