----- Original Message -----
From: "Rodrigo F Afonso" <rafonso(_at_)rits(_dot_)org(_dot_)br>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, July 30, 2004 5:22 PM
Subject: Re: [spf-discuss] Envelope Sender X From Header. How are you
treating this?
Hi there Stuart,
I't will be on the headers surely, but I think the best approach on this
case (when Return-Path is different from the From Header) is to throw
the Return-Path in the From: feader and throw the old From: (forgable)
to the X-Whatever header. So, the common user will see who sent the
message,
sentto-6627711-107893-1091201205-user=example(_dot_)com(_at_)returns(_dot_)groups(_dot_)yahoo(_dot_)com
for example. If he expands the headers he will see the X-Whatever with
the From: he used on the DATA part. In my opinion this will avoid
completly my users to get Scam's from SPF publishing domains, since for
the common user, that doesn't even know whats a message header is, what
he sees on his MUA is the FROM. If it comes from
support(_at_)hisbank(_dot_)com
there is a good chance he will trust it.
The more common approach in the business world is to insist that all email
be sent from the company's email servers, whether by SMTP-AUTH or webmail or
a list manager or something else, in order to prevent any kind of
manipulation or forgery or misrepresentation by a company member in the
field, or of someone pretending to be from that company without their
knowledge.
If such traffic is required by someone traveling, another approach is to use
"Reply-to:" and for the sender to carefully identify themselves as
traveling, with reference to the company office and with clear "Cc:" set to
the sender's business email address. This avoids all the difficulties of
requiring the "FROM" line in the SMTP transaction to be mismatched with the
"From:" line of the sender's message.