-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[Carl Hutzler]
And to be fair, Outlook does show both when you OPEN THE
EMAIL and read it. But in the list view, they only show
the display name (like most clients).
Your list message showed up in Outlook 2003SP1 as:
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com on behalf
of Carl Hutzler [cdhutzler(_at_)aol(_dot_)com]
Now, that makes a lot of sense to me as an IT guy, since that's
exactly the semantics a mailing list message. It's a straightforward
presentation of the message's From and Sender headers. Bravo
Microsoft.
But it's just too long and detailed for the normal email user to
digest, or even care about.
I do consulting work for financial services firms. One client's
network was a complete mess when I showed up... viruses, spyware, the
usual "we-don't-have-an-IT-guy" drill. But these same workstations
are used to trade millions of dollars in securities a year.
Talking with one of the traders (call him Joe), I was surprised that
he wasn't at all concerned about his machine being infested with
spyware or zombie trojans. I asked him to sit with me for a while to
talk about what not to do, just a quick tutorial. He refused.
He simply said "I don't care. I don't care if other people get spam,
I don't care about being a good Internet citizen, I don't care about
having viruses. I only care if I can make money trading."
I tried to explain that the trojans and zombies would effectively
allow someone to STEAL money from him, by piggybacking his trades,
slow down his trade execution, or screw him in the by seeing his
positions and strategy beforehand. But even that didn't register. "It
hasn't happened yet, to me or any other trader I know, and when it
does, I'll pay you to protect me, or sue you for not protecting me."
This is one of the big disconnects between IT guys and regular
people. We consider it a disaster if a computer is screwed up,
running slow, or hacked by some means. Joe Trader doesn't give a
rat's ass. He actually expects it. He clicks past error messages and
security warnings without reading them, and goes merrily on his way.
Joe Trader is going to ignore *whatever* indication we put into a
mail client that a message may be forged. So the only solution is to
bounce forged messages completely, which is why I like SPF. But I
also think we need SPF-like semantics for the RFC-2822 header
information, so that we can bounce messages with forgeries of that
information.
Maybe we should stick with classic SPF, and rewrite the From and
Sender headers at the receiving MTA to be the envelope sender. Or
bounce the message if the envelope and RFC-2822 headers don't match
up. Maybe at least put "FORGED EMAIL ADDRESS" in the RFC-2822 From
header if doesn't match the envelope sender, and do something similar
to the message body.
I know such actions would cause all sorts of new problems with
"normal" email operations, but how else can we protect Joe Trader
from harming himself and us?
Regards,
Ryan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1
iD8DBQFBWtdV9wZiZHyXot4RAnckAJ9jCS8tOnVuQ8v1jf+cG6raCnQXMgCg5RUJ
ETuIydiCgw06Mx7CG5rhHHQ=
=/ZoW
-----END PGP SIGNATURE-----