spf-discuss
[Top] [All Lists]

Re: *****SPAM***** Re: Envelope Sender X From Header. How are you treating this?

2004-07-30 20:22:45

----- Original Message ----- 
From: "Rodrigo F Afonso" <rafonso(_at_)rits(_dot_)org(_dot_)br>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, July 30, 2004 9:40 PM
Subject: *****SPAM***** Re: [spf-discuss] Envelope Sender X From Header. How
are you treating this?


Hi Nico,

If such traffic is required by someone traveling, another approach is to
use
"Reply-to:" and for the sender to carefully identify themselves as
traveling, with reference to the company office and with clear "Cc:" set
to
the sender's business email address. This avoids all the difficulties of
requiring the "FROM" line in the SMTP transaction to be mismatched with
the
"From:" line of the sender's message.



Yes, I understand that, the problem is that the Mail Clients don't...*8(
And if the forger inserts the From: Header in the DATA part of the
message the Mail Client, incorrectly in my point of view, uses this one
making all SPF and stuff useless in this particular case. For the final
user it appears that he received an email from the forged address.

Well, yes.. He did in fact receive the email from a forged address in this
case, one that was hopefully forged with the permission of the company or
the users involved. But allowing this kind of forgery in these cases pretty
much guarantees that the forgery will be permitted when it should not be,
such as when the same traveling salesman connects to the port of the
farmer's daughter network and comes back with a virus.