----- Original Message -----
From: "Paul Howarth" <paul(_at_)city-fan(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, September 08, 2004 11:06 AM
Subject: Re: [spf-discuss] Google's gmail.com checks spf records!
jpinkerton wrote:
Interesting take on spoofing :-) I was always under the impression that
spoofing meant falisfying the reply-to address so that when a user
clicks
"reply to" in MSOE the mail is sent to the reply-to address falsely
chosen
by the sender. Tech-aware users might well be able to see through the
falisfied reply-to, but 90% of users won't, and those are the guys we're
trying to protect, I thought?
Not with SPF. Sender-ID and possible Unified SPF might target the From:
header
but I don't think any of them target the Reply-To: header.
What do you suppose a "legitimate" use of the "Reply-To:" header would be,
and
why is it not spoofing?
Well - to be honest - I'm not sure why Reply-To: should exist at all, given
the fact that there's a From: If they are not the same address, the mail is
suspect, imho. I'm talking mail headers here, *not* envelope headers which
don't show in MSOE. I am not expert enough to be clear on this, but I allow
common-sense to guide me - in my opinion there are too many mail headers,
all the more esoteric information should be in the envelope headers, showing
the routing, etc. If there was one which identified the ISP the mail came
from and one which identified the originating sender in person by his/her
e-mail address, both authenticated and passed on by any/all intermediate
handlers (forwarders, etc) of the mail, that would be ample, and would
remove the opportunity for spoofers to forge addresses.
Any script kiddie can write a script which will insert false Reply-To:
addresses in their spam, and *that* is what I thought we were sorting out?
Slainte,
JohnP.
johnp(_at_)idimo(_dot_)com
ICQ 313355492