Re: recent spam to this list
Julian Mehnle writes:
> Michael Poole wrote:
>> Mail is not sent from any particular address at all; it is sent by a
>> person or program. It is delivered to one or more addresses. The
>> From: address and SMTP and envelope sender addresses are for human
>> understanding and status reporting.
> It does very well make sense to specify a "sender address" for an
> e-mail, and that's exactly what the SMTP "MAIL FROM" command AKA
> envelope-from (and the "Sender:" header) is meant to be. Even RFCs
> (2)821 and (2)822 articulate it that way. Nowhere do these RFCs
> state that the envelope-from can or should be used for status
> reporting *only*, do they?
In that context, I think the reasonable interpretation for "sender
address" is one that will reach the sender. There need not be a
unique valid "sender address" for any person, any role, any host, or
any combination of those three -- unless the relevant administrators
dictate it. I contend that a from or sender address is forged *only*
if that address reaches neither the actual originator nor anyone who
delegated that identity to the actual originator.
A valid sender may be rejected if they are acting contrary to how
their administrator desires them to act -- specifically, if they send
email with that address through unauthorized servers. That is a
failed authorization check, not a failed forgery check, since you
do not know whether the sender is or is not the proper person.
> Agreed, but a user indicating a "MAIL FROM: <email@example.com>" while
> sending from a host in the "bar.org" domain is forging the "MAIL
> FROM" address.
That is what I disagree with. You have given no clear argument for
that claim -- or even a definition of what 'a host in the "bar.org"
domain' means. I assume you mean that the IP resolves using DNS PTR
records to a host matching either *.bar.org or bar.org, and that the
hostname has a DNS A record that points back to the IP.
Forged emails generally have that domain mismatch, but some valid
emails share it. For example, my host is "in" the troilus.org domain,
and about half of my mail uses the address I send this email from.
Most of the rest uses another address, and the remainder is from a
third. The latter two refer unambiguously to me and eventually end up
in the same mailbox as the rest of my mail, so I do not see why using
them in MAIL FROM: should be considered forgery.
On the other hand, it is possible for a user to forge an envelope
sender to make himself look like another user "in" the same domain.
Your naive detection scheme for forgery fails to detect this.
>> It probably is useful to perform checks on those addresses, to verify
>> that the administrator of the domain allows the sender to claim an
>> identity under the domain. If such an authorization check fails,
>> forgery is just one possible explanation.
> Generally true, but in part it depends on how you define "forgery".
Without getting into a debate over semantics, it seems that you define
"forgery" in a counter-intuitive way by ignoring ways that real people
use protocols: specifically, arguing that SMTP forgery is defined by
hostnames rather than user identity.