spf-discuss
[Top] [All Lists]

Re: Envelope Sender X From Header. How are you treating this?

2004-07-30 18:34:12
Hi Greg,

I think altering the From: header is a little backwards... the BEST fix
would be to alter the MUA/mail client to display the verified address. For example, MS Outlook already displays From: <Sender> On Behalf Of
<From>.  If MS Sender ID wins popular approval, they will probably alter
this to display whatever header was validated (but they will probably
also show the From:)

Yeah, I agree 100% with you on that. I think this is a thing that the MUA's should do and I don't understand why only M$'fts Outlook displays it that way....*8( Thunderbird and Evolution just ignore this unfortanely. It would be great to get them to make a "On behalf of" thing to help reduce this sort of forging. Then this header change idea wouldn't be necessary.

However, here is a related idea... how about, IF the From: domain is
different from the Return-Path (aka. Envelope From) THEN keep the From:
address the same, but change the displayed part of the name to
(Unverified)

For example:
MAIL FROM: <user(_at_)returnpath(_dot_)com>
...
DATA
From: John Doe <user(_at_)original(_dot_)com>

Then the MTA passing the message might change this to:
From: John Doe (Unverified) <user(_at_)original(_dot_)com>

This makes an obvious, user-visible change, without altering the reply
behavior.

That surely is a thing to think and try out. See if it really is visible enough to make the user see that it's not really sent directly by the user, but by another account.

The only problem on this is that inserting a text on the from is also possible by the person forging...so...the guy can put something like "From: Forged (*Verified) <user(_at_)forged(_dot_)com>" and it would appear "From: Forged (*Verified) (Unverified) <user(_at_)forged(_dot_)com>"...do you think users (the none tech ones) would understand that this is a fake? Thats why I think that, while the MUA's don't change, forcing the From to a alternative Header in the case of different Return-Path's and From Headers is the best alternative since there will be no doubt by the user that is receiving it.

As I see it, I can only find this type of difference on:
- Lists
- Mail Forwarding (wich will be fixed up with SRS)
- Forged emails...

Is there any other case where this happens? If no, then we are talking only of Lists wich is, IMHO, perfectly acceptable to change the headers.

Ultimately, any changes we make at the MTA will probably be reversed
once the MUA's are all updated to display verification results properly.
This is the best of the worlds. I hope it happens on next releases of MUA's that read this list. *8)

Best regards,

--
------------------------------------------------
Rodrigo Afonso
rafonso(_at_)rits(_dot_)org(_dot_)br
Gerente TI
RITS - Rede de Informações para o Terceiro Setor
------------------------------------------------
http://www.rits.org.br
Rua Guilhermina Guinle, 272/6º Andar
Rio de Janeiro/RJ - CEP: 22270-060
Tel: (21) 2527-5494 / Fax: (21) 2527-5460