I'm going to summarize what you just wrote, because I think you hit an
important point that CBV developers probably are not likely to often note:
1. If CBV system is verifying email address found in message header (From
or Sender), it you should use non-empty MAIL FROM address during CBV:
MAIL FROM:<verifier(_at_)mailhost(_dot_)(_dot_)>
RCPT TO:<address(_at_)in(_dot_)from(_dot_)header(_dot_)field>
2. If CBV system is verifying email address found in RFC2821 MAIL FROM,
it should use emptry MAIL FROM address during CBV:
MAIL FROM:<>
RCPT TO:<address(_at_)in(_dot_)envelope(_dot_)from>
Is this current behavior that you think should nit (in theory) cause
any problems when MAIL FROM address is auto-generated and contains
SES, BATV or similar signature or tag scheme?
On Thu, 16 Feb 2006, Mark Shewmaker wrote:
On Fri, Feb 17, 2006 at 03:47:26PM +1300, Craig Whitmore wrote:
My thoughts on this are.. if someone sends from an email address it HAS to
be valid (or how do you ever bounce back to it?)
Maybe you could restate that.. I think your wording confuses
the multiple types of "from"s, and you're also using "valid"
as a noun instead of an adjective, (which leads to the question "it has
to be a valid what?"), so your claim is a bit nebulous.
However, I would agree to the extent that an address used as an argument
to a non-null MAIL FROM should be a valid address for bounces.
Or to be clearer, I would claim that:
1. Non-Null MAIL FROM addresses must be valid addresses to send bounces
messages to.
2a. Non-Null MAIL FROM addresses may or may not be valid addresses to send
non-bounce messages to.
2b. Valid addresses to send non-bounce messages to may or may not be
valid addresses to send bounce messages to.
3. Various addresses that are found in body headers may or may not
be valid addresses for bounces.
(I'm ignoring side issues such as other forgery checks and
timeout/denial-of-service type checks.)
So in other words, I think it's perfectly valid to have a system in
which:
1. "user(_at_)example(_dot_)com" is a valid address for non-bounce messages but
not bounce messages, while
2. "34759127591(_at_)example(_dot_)com" is a valid address for bounce messages
but not non-bounce messages, and
3. "user(_at_)example(_dot_)com"'s emails are sent with
"MAIL FROM:<34759127591(_at_)example(_dot_)com>", with
"user(_at_)example(_dot_)com" as
a body header FROM. (Or Sender, Reply-To, etc.)
So in that situation, verifying the "validity" of "user(_at_)example(_dot_)com"
using a bounce test, or verifying the "validity" of
"34759127591(_at_)example(_dot_)com"
using a non-bounce test, will return incorrect results.
But verifying that the bounce address could receive bounces, or
verifying that the non-bounce-address could receive non-bounces, are
both more likely to be valid. (Or at least, they shouldn't give false
negatives.)
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com