Meng Weng Wong wrote:
On Tue, Sep 21, 2004 at 05:12:57PM -0600, Steve Meyers wrote:
That's more like SPF. All you can tell is that the swipe was from a
certain company, you can't tell who. The ISP's mail server is a
shared resource (much like our building-wide swipe card), so
individual user authentication to the recipients mail server is
impossible, unless the sender's ISP takes measures to eliminate
cross-account spoofing.
Exactly. That was my point all along. :) In fact, under SPF "classic" there
is no guarantee that MAIL FROM is actually an existing address, even! Much
less authenticated, at that.
I think the above scenario confuses authentication with
identification.
We're starting to split that hair mighty thin; but I would say:
"identification" is establishing someone's identity, whereas
"authentication" is verifying the authenticity of that identity. Here is
where the two cross over, of course. Because it could be argued that cannot
properly identify a user without also having established the authenticity of
that identity. Still, in my world, an "authenticated" user is a confirmed
identity. I guess that is why they call it SMTP AUTH, not SMTP IDENT. :)
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx