jpinkerton wrote:
Well - to be honest - I'm not sure why Reply-To: should exist at all, given
the fact that there's a From: If they are not the same address, the mail is
suspect, imho.
Well, your message from the list that I'm replying to has:
From: "jpinkerton" <johnp(_at_)idimo(_dot_)com>
Reply-To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Is that suspect?
I'm talking mail headers here, *not* envelope headers which
don't show in MSOE.
There's no such thing as "envelope headers". There's an envelope sender
address (the target of Classic SPF checks) and one or more envelope recipient
addresses, indicating where the mail should be delivered to. That's all.
> I am not expert enough to be clear on this, but I allow
common-sense to guide me - in my opinion there are too many mail headers,
all the more esoteric information should be in the envelope headers, showing
the routing, etc. If there was one which identified the ISP the mail came
from and one which identified the originating sender in person by his/her
e-mail address, both authenticated and passed on by any/all intermediate
handlers (forwarders, etc) of the mail, that would be ample, and would
remove the opportunity for spoofers to forge addresses.
Unfortunately what you're describing is not SMTP, so it would be rather a
large change to move over to a fully authenticated scheme like that.
Any script kiddie can write a script which will insert false Reply-To:
addresses in their spam, and *that* is what I thought we were sorting out?
It's very very easy, yes. However, Classic SPF is targeting only the RFC 2821
(envelope) sender address, not any of the RFC 2822 (message header) addresses.
That's a different problem; related, but different.
Paul.