Alex van den Bogaerdt wrote:
On Tue, May 10, 2005 at 07:09:13AM -0400, Mark Shewmaker wrote:
On a topic tangentially of interest to spf, but not directly
spf-related:
It would be convenient for MUA's if there were a header item that said:
"I fully and completely trust the previous MTA."
Then this happens:
spammer adds: "I fully and completely trust $mydomain"
then forwards to next hop.
In other words, if I cannot trust the received line, why
would I trust "X-trust-whatever" ?
The received line just says "This is where I got the message", it
doesn't say "this is where I got the message AND you can take his word
for where he got the message too"
When I pickup messages from a POP3 server, I know that I can trust the
topmost Received header (or rather, as much as I trust my mail server, I
can trust the Received header). However, from there it's mostly guess work.
Spammers wouldn't be able to abuse this, because the at some point the
receiving SMTP servers would not add the "I trust the previous hop"
line, and you'd know that all following Received lines are suspect -- At
best, they'd be open relays which accepted the message. At worst,
they'd be completely forged.
In other words, imagine the following Received lines:
Received from [b] by a {trusted}
Received from [c] by b {trusted}
Received from [d] by c
Received from [e] by d {trusted}
If I trust A, and A trusts B, and B trusts C, then I'll take C's word
for it that "D" is the sender. The fact that "D" claims the message
came from somewhere else isn't important, the chain is broken so I know
to not trust "D"
--
If quitters never win, and winners never quit,
what fool came up with, "Quit while you're ahead"?