On Thu, 18 Aug 2005, Frank Ellermann wrote:
In all other cases display a warning. Is that really all, or
did I miss something ?
Seth's idea is that the most popular MUAs *already* display From + Sender.
He wants to leverage what the MUA is already displaying to
curb phishing.
Even your idea of adding the missing Sender is a win - because the
MUA will then display it to the user! Another non-blocking
technique would be simply *change* the Sender if neither it not From match.
Change Sender to X-Original-Sender and add a Sender that matches
MAIL FROM. Voila, user sees "From xxyyfasdf(_at_)xxyyzz(_dot_)com on behalf
of admin(_at_)ebay(_dot_)com". All but the most terminal stupid users will
at least have the true source of the message in front of them
without having to click obscure menu options.
You are correct in that if we are going to modify the MUA, why not just
show Return-Path. My MUA (Pine) does just that (when I toggle the 'h'
key). Seth's idea is to feed a validated MAIL FROM into what the worlds
most popular MUAs do in fact display.
The MTA could flag what the MUA is going to display, by modifying
the human readable part of From or Sender or adding a tag to the Subject.
If the rule is consistent enough, the MTA could even block or
quarantine messages where neither From nor Sender matches MAIL FROM.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.