AccuSpam <support(_at_)accuspam(_dot_)com> writes:
Also I think many people who buy domains for personal use, do get
*(_at_)domain mailbox. It is sort of a super feature that ISPs can offer
at no extra cost. Maybe I am wrong. But certainly many of the
millions of domains have *(_at_)domain mailbox and this is a big hole for
*EXISTENT* sender address email forgery.
Why is this a big hole? Surely this only affects incoming mail and has
no effect on sender address email forgery. If you are thinking of
call-back checks (by the recipient) then do not forget that (at least
with SPF) the mail has to come from the correct MTA as well. But I
agree that where several domains all use a common (ISP) server it does
allow for other users of the same server to forge the sender address.
I am not sure if I should mention it here, but at least one of the
other systems undergoing testing at the moment has the capability to
combat the shared server forgery problem. Domain Keys - if the
customer (domain owner) uses Domain Keys before submitting the mail to
the ISP's shared server then other users of the server will not be
able to forge emails as coming from that domain.