spf-discuss
[Top] [All Lists]

Re: Google's gmail.com checks spf records!

2004-09-08 01:59:01

----- Original Message -----
From: "Paul Howarth" <paul(_at_)city-fan(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, September 08, 2004 10:41 AM
Subject: Re: [spf-discuss] Google's gmail.com checks spf records!


jpinkerton wrote:
I hope I am wrong - but if I can send you a mail with a false reply-to
that's spoofing, afaik, and is exactly what spf is trying to stop.

I completely disagree. Adding a Reply-To: header is exactly what we
*should*
be advocating for people trying to use a "foreign" ISP where they cannot
for
whatever reason using SMTP AUTH from the "home" ISP. They send mail using
the
account at the "foreign" ISP (MAIL FROM: and From: header), and use a
Reply-To: header to have replies go to their home account. No spoofing,
perfectly legitimate.

If mail sent in this format turns out to be abusive, the complaints will
go to
the "foreign" ISP, which is exactly as it should be.


Interesting take on spoofing :-)  I was always under the impression that
spoofing meant falisfying the reply-to address so that when a user clicks
"reply to" in MSOE the mail is sent to the reply-to address falsely chosen
by the sender.  Tech-aware users might well be able to see through the
falisfied reply-to, but 90% of users won't, and those are the guys we're
trying to protect, I thought?


Slainte,

JohnP.
johnp(_at_)idimo(_dot_)com
ICQ 313355492