Stuart D. Gathman wrote:
On Wed, 8 Sep 2004, jpinkerton wrote:
Any script kiddie can write a script which will insert false
Reply-To: addresses in their spam, and *that* is what I thought we
were sorting out?
SPF only authenticates RFC2821 headers (envelope). Authenticating
RFC2822 headers is what Unified SPF and Sender-ID are addressing
(not very well IMHO - I think Domain Keys has a better change for
RFC2822 authentication).
Not to waste too much breath on the issue (and not against you, Stuart, just
in general), but I stick to thinking there is absolutely nothing wrong with
the "Reply-To" header.
For one, "Reply-To" does not serve the purpose of authenticating where a
message came FROM, but only where a reply is supposed to go TO. So, if
someone used the "Reply-To" header for incoming authentication, then they
were mistaken to do so in the first place.
For two, I can for the life of me not think of any "malicious" use of the
"Reply-To" header. Yes, you could have a regular "From:" address, and then
sneakily set the "Reply-To" address to an innocent third party. So? To what
end? Certainly not to create false bounces; because those would use the
envelope-from.
I read the guy's article. I was not overly impressed. It really all boils
down to him accidentally having sent private email to a public list once.
Well, in my experience, the opposite is much more risky: replying
personally, when you really meant to reply to the public list. Especially on
the more formal lists, that sort of thing is frowned upon. Professional
participants are generally busy, and do not much care for being accosted in
private email on issues that they discuss in a public forum.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx