Now what I was trying to suggest was something much simpler than many of
these options.
Give domain owners who do not want their 2822-From: (or 2822-Sender:
perhaps) used with someone else's 2821-Mail From:.
Domains that want to impose this restriction add from=yes to their SPF
record.
For current SPF implementations it's an unknown modifier, so no impact.
Future implimenations that supported this would check for the 2822-From:
and if it had a different domain part, would look up the SPF record for
the domain in the 2822-From: If the record did not contain from=yes,
they would move on, changing nothing. If they found from=yes, then they
could reject the message after Data, but still during the SMTP session.
This will break some things, but the point is that heavily phished and
joe-jobbed domains probably can stand the breakage. This gives a simple
way to opt-in to a method that would close one of the holes that is
currently open.
None of the ebay/paypal phishes I get use ebay or paypal in 2821 any
more. SPF scared them off of that, even with it's current limited
deployment. This would be another step in the process.
And yes, I didn't make this up, this is a subset/simplification of ideas
previously developed by others.
It seems like an easy win.
Scott K