Point to note:
Good MUA's (e.g. Pine) when you reply to a message, if there is a "Reply-To"
address different then
the From address, it prompts you "Do you want to reply to the From address or
the Reply-To address?"
Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry(_at_)greatgulfhomes(_dot_)com
Fax: (416) 441-9085
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of
jpinkerton
Sent: Wednesday, September 08, 2004 5:39 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Google's gmail.com checks spf records!
----- Original Message -----
From: "Paul Howarth" <paul(_at_)city-fan(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, September 08, 2004 11:06 AM
Subject: Re: [spf-discuss] Google's gmail.com checks spf records!
jpinkerton wrote:
Interesting take on spoofing :-) I was always under the
impression that
spoofing meant falisfying the reply-to address so that when a user
clicks
"reply to" in MSOE the mail is sent to the reply-to
address falsely
chosen
by the sender. Tech-aware users might well be able to
see through the
falisfied reply-to, but 90% of users won't, and those are
the guys we're
trying to protect, I thought?
Not with SPF. Sender-ID and possible Unified SPF might
target the From:
header
but I don't think any of them target the Reply-To: header.
What do you suppose a "legitimate" use of the "Reply-To:"
header would be,
and
why is it not spoofing?
Well - to be honest - I'm not sure why Reply-To: should exist
at all, given
the fact that there's a From: If they are not the same
address, the mail is
suspect, imho. I'm talking mail headers here, *not* envelope
headers which
don't show in MSOE. I am not expert enough to be clear on
this, but I allow
common-sense to guide me - in my opinion there are too many
mail headers,
all the more esoteric information should be in the envelope
headers, showing
the routing, etc. If there was one which identified the ISP
the mail came
from and one which identified the originating sender in
person by his/her
e-mail address, both authenticated and passed on by any/all
intermediate
handlers (forwarders, etc) of the mail, that would be ample, and would
remove the opportunity for spoofers to forge addresses.
Any script kiddie can write a script which will insert false Reply-To:
addresses in their spam, and *that* is what I thought we were
sorting out?
Slainte,
JohnP.
johnp(_at_)idimo(_dot_)com
ICQ 313355492
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in
Atlanta features SPF and Sender ID.
To unsubscribe, change your address, or temporarily
deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com