On Thu, 6 Jan 2005, Julian Mehnle wrote:
And that can only mean that we have to advocate prevention of
cross-customer forgery more aggressively. We might even want to write up
an RFC that explains what MTA implementors and ISPs have to do.
I do see two options for how to prevent cross-customer forgery
technically:
1. Notice the SMTP-AUTH identity. Receive the message including its
headers, and see if "From:"/"Sender:" matches the SMTP-AUTH identity. If
not, reject the message after DATA.
I disagree. The ISP should simply compare the MAIL FROM domain with
a list of domains allowed for that SMTP-AUTH identity, and reject/alter
if not included. No checking of 2822 headers should occur at the SMTP level.
Especially so, since this is the SPF group and not the Sender ID group.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.