[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: recent spam to this list

Michael Poole wrote:
> Julian Mehnle writes:
> > Don't you agree on my understanding of a sender address (or source
> > mailbox) being the address (or source mailbox) the sender sends
> > from?  If so, please state it explicitly, so I have something I can
> > argue against. :-)
> Mail is not sent from any particular address at all; it is sent by a
> person or program.  It is delivered to one or more addresses.  The
> From: address and SMTP and envelope sender addresses are for human
> understanding and status reporting.

It does very well make sense to specify a "sender address" for an e-mail, and that's exactly what the SMTP "MAIL FROM" command AKA envelope-from (and the "Sender:" header) is meant to be.  Even RFCs (2)821 and (2)822 articulate it that way.  Nowhere do these RFCs state that the envelope-from can or should be used for status reporting *only*, do they?

> Forgery generally means to create written authorization that shows
> false provenance.

No.  You can also forge paintings as well as originator address specifications and other information.  Call it counterfeiting, but essentially it's the same thing.

> A user who indicates status messages should go to his own address is
> not forging that address, even if it is not an obvious address given
> the user's hostname.

Agreed, but a user indicating a "MAIL FROM: <user@foo.org>" while sending from a host in the "bar.org" domain is forging the "MAIL FROM" address.

> It probably is useful to perform checks on those addresses, to verify
> that the administrator of the domain allows the sender to claim an
> identity under the domain.  If such an authorization check fails,
> forgery is just one possible explanation.

Generally true, but in part it depends on how you define "forgery".

Reply to: