spf-discuss
[Top] [All Lists]

RE: Processed-By (or Transmitted-By) header concept

2004-09-27 13:14:07
On Mon, 27 Sep 2004, Scott Kitterman wrote:

The Processed-By proposal would seem to require that I trust the remote
processor (forwarder) and believe that it's characterization of the previous
path of the message is correct.  If I trust the forwarder not to lie about
where it got the message, why can't I just whitelist an SPF classic checking
forwarder that I trust and be done with it.

You misunderstand. Processed-By headers only record the information about
what happened during forwarding. One of the headers recorded is
"Envelope-Submitter". And as it is "Envelope", i.e. its record of RFC2821
it can not be used unless the same server also used SUBMITTER during
mail command.

If system does not support SUBMITTER, it can still enter Processed-By 
header and one may assume that information that went into what I currently 
called "on-behalf-of" (name I don't particularly  like and would like to 
find shorter two-word combination) would have been the SUBMITTER address.

This is no more or less "trusting" then the Microsoft PRA concept of
adding Resent headers that you have to trust but that may well be a lie.

I think finding a way to build a 2821 based SUBMITTER that projects an
appropriate identity into 2822 (the opposite of the MS PRA proposal)
good way to aid whitelisting. 

That is exactly what combination of draft-leibzon-responsible-submitter
and the new Processed-By headers would do. 

An additional draft on how to match the data in SUBMITTER and other 
RFC2821 headers to data found in Processed-By may also be needed to
aid systems that are verifiying email and identify false headers.

---
William Leibzon, Elan Networks:
 mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
 http://www.elan.net/~william/emailsecurity/