Alex van den Bogaerdt wrote:
Helo: victim.tld
Mail from: <spammer(_at_)victim(_dot_)tld>
Rcpt to: <victim(_at_)hotmail(_dot_)tld>
Data
...
...
From: <rude(_at_)xyzzy(_dot_)claranet(_dot_)tld>
[...]
where is the harm?
You get a bogus PRA-PASS for a v=spf1 permitting victim.tld:
xyzzy.claranet.tld "v=spf1 victim.tld redirect=claranet.tld"
When would you allow a host to use this name in RFC821 but
not in RFC822 ?
In the scenario above spammer(_at_)victim(_dot_)tld is an authenticated
user of the MSA victim.tld enforcing submission rights. This
spammer used his legit MAIL FROM.
rude(_at_)xyzzy(_dot_)claranet(_dot_)de is also a user of this "hardpass" MSA.
spammer(_at_)victim(_dot_)tld guessed this looking at the v=spf1 policy,
therefore he signed up for his own account, and then he sent
the mail show above to victim(_at_)hotmail(_dot_)tld
That victim(_at_)hotmail(_dot_)tld got a PRA-PASS for the forged 822-From.
From there it's up to your fantasy what spammer(_at_)victim(_dot_)tld did.
But from victim(_at_)hotmail(_dot_)tld POV it was an authorized mail from
"me" via a trusted MSA enforcing submission rights.
Would that be Kelvin, degrees Celsius or degrees Fahrenheit?
Let's say Fahrenheit. Please check RfC 2476 6.1., it's short,
7 lines, I add it below, s/MAY/does/ for the idea, bye, Frank
The MSA MAY issue an error response to the MAIL FROM command if the
address in MAIL FROM appears to have insufficient submission rights,
or is not authorized with the authentication used (if the session
has been authenticated).
Reply code 550 with an appropriate enhanced status code per
[SMTP-CODES], such as 5.7.1, is used for this purpose.