RE: recent spam to this list
Michael Poole wrote:
> Julian Mehnle writes:
> > Don't you agree on my understanding of a sender address (or source
> > mailbox) being the address (or source mailbox) the sender sends
> > from? If so, please state it explicitly, so I have something I can
> > argue against. :-)
> Mail is not sent from any particular address at all; it is sent by a
> person or program. It is delivered to one or more addresses. The
> From: address and SMTP and envelope sender addresses are for human
> understanding and status reporting.
It does very well make sense to specify a "sender address" for an e-mail, and that's exactly what the SMTP "MAIL FROM" command AKA envelope-from (and the "Sender:" header) is meant to be. Even RFCs (2)821 and (2)822 articulate it that way. Nowhere do these RFCs state that the envelope-from can or should be used for status reporting *only*, do they?
> Forgery generally means to create written authorization that shows
> false provenance.
No. You can also forge paintings as well as originator address specifications and other information. Call it counterfeiting, but essentially it's the same thing.
> A user who indicates status messages should go to his own address is
> not forging that address, even if it is not an obvious address given
> the user's hostname.
Agreed, but a user indicating a "MAIL FROM: <email@example.com>" while sending from a host in the "bar.org" domain is forging the "MAIL FROM" address.
> It probably is useful to perform checks on those addresses, to verify
> that the administrator of the domain allows the sender to claim an
> identity under the domain. If such an authorization check fails,
> forgery is just one possible explanation.
Generally true, but in part it depends on how you define "forgery".