On Wed, Sep 08, 2004 at 11:39:01AM +0200, jpinkerton wrote:
Well - to be honest - I'm not sure why Reply-To: should exist at all, given
the fact that there's a From: If they are not the same address, the mail is
suspect, imho. I'm talking mail headers here, *not* envelope headers which
don't show in MSOE. I am not expert enough to be clear on this, but I allow
common-sense to guide me - in my opinion there are too many mail headers,
all the more esoteric information should be in the envelope headers, showing
the routing, etc. If there was one which identified the ISP the mail came
from and one which identified the originating sender in person by his/her
e-mail address, both authenticated and passed on by any/all intermediate
handlers (forwarders, etc) of the mail, that would be ample, and would
remove the opportunity for spoofers to forge addresses.
Any script kiddie can write a script which will insert false Reply-To:
addresses in their spam, and *that* is what I thought we were sorting out?
Imho, there's nothing wrong with reply-to. In fact, it is the better
solution for greeting card sites etc I think: they send mail from
'bounces(_at_)greetingcards(_dot_)tld' with a Reply-to specifying the person who
initiated the greeting card. That way, the greeting card site can have
MAIL FROM and From: the same, and apply spf to their domain.
If someone malicious inserts false reply-to's, at least we have an
spf-checked MAIL FROM that we can use to track down the malicious
person.
Koen
--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/