spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: SPFv1 record failure cases

2005-07-23 05:15:07
from [wayne] [Permanent Link] 
In <42E169B8(_dot_)3095(_at_)xyzzy(_dot_)claranet(_dot_)de> Frank Ellermann 
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> writes:


Daniel Taylor wrote:


the PRA algorithm was not discussed in quite the depth here


It's pretty simple, scan the header for Resent-Sender, then
Resent-From, then Sender, then From (each step top down), and
take the first match.  If that has more than one address it's
a syntax problem (=> no PRA), otherwise it's the PRA.

In the spf-discuss(_at_)v2(_dot_)listbox case you get the Sender as PRA.


I don't think the PRA is really that simple and I think that Frank's
description is wrong.

The PRA is found is taken from the From: header.  If there are more
than one email addresses listed on the From: header, choose the first
one.  Unless there is a Sender: header, in which case you use that
instead of the From:.  Unless there is a Resent-From: header, in which
case you use that.  Unless there is a Resent-Sender: header, in which
case you use that.  Unless there is a trace header between the
Resent-From: and the Resent-Sender: headers, in which case you use use
the Resnet-From: header.  In all cases, you ignore all but the top
most Resent-From: and Reset-Sender: headers.  If there aren't any
From:, Sender:, or Resent-* headers, or if there are more than one
From: or Sender: header, or if these headers do not contain actual
email addresses, then I'm not exactly sure what happens, but it is
defined. 



2. If so, then what is the advantage over mfrom/helo checks?


MS wants to display the PRA in MUAs, and they don't trust that
the Return-Path is available - of course it can be also empty.


But MS is not displaying the PRA in the MUA, or at least the hotmail
folks aren't.  This actually helps the phishers.  *sigh*

The PRA is better than the mfrom *IF* the checking isn't being done at
the border MTA where all information is available *AND* if there
wasn't, contrary to RFCs, a Return-Path: header included *AND* if you
can correctly parse the Received: headers and correctly derive IP
address of the border MTA *AND* the PRA returns an email address.


-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  FIT : Fraud Investigations Team : case 1287 / 2005 ., Paypal Security Service
Next by Date:  Re: SPFv1 record failure cases, wayne
Previous by Thread:  Re: SPFv1 record failure cases, Frank Ellermann
Next by Thread:  Re: SPFv1 record failure cases, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]