MAIL FROM rewriting?
2005-06-24 06:06:30
Hello all. First off, let me say that I'm quite new to this. Please bear
with me, I appreciate your patience in advance! I'm a little confused about
a particular aspect of SID, namely how 3rd party mailers are supposed to
handle messages. Let's take the example of a remote worker who uses their
private ISPs SMTP server to send e-mail messages in the name of their work
e-mail account, which really resides on their company's corporate e-mail
server. A similar scenario is mentioned in Dan's recent post here:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200506/0572.html
According to the Sender ID draft spec section 7.4
(http://www.microsoft.com/mscorp/safety/technologies/senderid/resources.mspx)
, "In order to pass the MAIL FROM variant of this test, a program that sends
mail on behalf of another user MUST use a MAIL FROM address that is under
its control." So if the private ISP performs rewriting to alter the MAIL
FROM (or RETURN PATH) field to represent an address under it's control,
isn't that just defeating the entire purpose of SID in the first place? It
shifts the focus of authentication from the original sender to the upstream
ISP. As long as the ISP has a correct SPF record the message will pass a
MAIL FROM test at the receiving end, regardless of the true legitimacy of
the original sender.
I could pretend to be George Bush, configure my mail client From: and Reply
To: addresses as george(_at_)whitehouse(_dot_)gov, and send using my local ISPs SMTP.
The MAIL FROM gets altered to "george(_at_)legitmateisp(_dot_)com", and when received
by the end recipient's mail server, it passes the test because the SPF for
legitimateisp.com authorizes the correct 1st hop sending server, and a PRA
test should check MAIL FROM before FROM. When the message shows up in the
recpient's inbox, all they're going to see is the FROM field of
george(_at_)whitehouse(_dot_)gov(_dot_) Only upon closer inspection of the message headers
would they see the altered MAIL FROM, which probably wouldn't tell them much
anyway depending on the implementation.
Instead of (or in addition to) rewriting the MAIL FROM, another option is to
add a new SENDER or RESENT FROM header to the message. But what good does
that do if the PRA test is based on those fields? It's the same problem. I
guess in my head, to be legitimate SID should essentially make the practice
of using an unauthorized 3rd party SMTP server impossible. I mean, that is
the point, right? To ensure that sending servers are specifically
authorized to send mail for the domains that messages appear to come from?
But instead it appears to provide a workaround that negates SID alltogether.
I apologize if I've got this all wrong, but it's my best interpertation so
far. Could someone either set me straight, or agree with me?
Thanks!
drj
<Prev in Thread] |
Current Thread |
[Next in Thread> |
- MAIL FROM rewriting?,
Julius Hibbert <=
|
|
|