[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Re: 03.1 Re: Forgery in SMTP

To: gep2@terabites.com
Subject: Re: [Asrg] Re: 03.1 Re: Forgery in SMTP
From: Philip Miller <millenix@zemos.net>
Date: Sat, 27 Dec 2003 01:52:54 -0500
Cc: asrg@ietf.org
In-reply-to: <B0000028150@nts1.terabites.com>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <B0000028150@nts1.terabites.com>
Sender: asrg-admin@ietf.org
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031107 Debian/1.5-3

gep2@terabites.com wrote:

[snip]
What actions can *YOU* take that would allow
verification/authentication of the "From:" during the SMTP transaction ?
I'm not convinced that it's necessarily practical and maybe not even desirable to even try.

First of all, there are many legitimate reasons for people to send E-mails through relays, foreign ISPs, or other services not usually associated with their From: address. They might be travelling (perhaps even internationally) at an Internet cafe, airport waiting lounge E-mail kiosk, cruise ship Internet access lounge, in-airplane E-mail service, public library, or post office. In each of these cases, they clearly want the replies to come to their own (perhaps "vanity") domain, and maybe they never will ever again even be at the point where the prior E-mail message was actually sent from.

We're talking about different 'From' addresses. None of the proposals we're working on deal with the 'From:' header as it appears in the message body. From what I've seen, it's possible that Yahoo's "Domain Keys" proposal might, but we don't know.
All of the LMAP implementation proposals deal with the envelope from address, also know as the return path. That's the parameter to the MAIL command in SMTP. If travelling people want to set up their domain so that any source can use it in a MAIL FROM, they're welcome to, just as all recipients are welcome to block mail claiming to be from that domain.

What's more, consider the case of mailing lists (Yahoogroups is a good example) as "anonymizers" of sorts of messages. They forward messages (as individual messages or perhaps as digests) and these sorts of mailing lists are terribly important to large classes of internet users. Sometimes these messages bear the original sender's From address, sometimes they bear the list's From address.

Mailing lists are a different case. Most mailing lists rewrite the return path so that bounces are delivered to the mailing list server or administrator rather than random posters on the list. Any modern mailer that doesn't do this better have pretty damn good reasons not to.

Philip Miller

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- [Asrg] Re: 03.1 Re: Forgery in SMTP
  - From: gep2

Prev by Date: Re: [Asrg] 6. Proposals - Computational - MSFT's "Penny Black"
Next by Date: Re: [Asrg] 6. Proposals - Computational - MSFT's "Penny Black"
Previous by thread: [Asrg] Re: 03.1 Re: Forgery in SMTP
Next by thread: [Asrg] Re: Forgery in SMTP
Index(es):
- Date
- Thread