[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: recent spam to this list

John Hasler wrote:
> Julian Mehnle writes:
> > It does very well make sense to specify a "sender address" for an
> > e-mail, and that's exactly what the SMTP "MAIL FROM" command AKA
> > envelope-from (and the "Sender:" header) is meant to be.  Even RFCs
> > (2)821 and (2)822 articulate it that way.  Nowhere do these RFCs state
> > that the envelope-from can or should be used for status reporting
> > *only*, do they? 
> If I go to Eau Claire and drop a letter in a letter box am I required to
> put the address of the box on the letter?

No, but this again is one of these broken "e-mail vs. real world" analogies.  You can't receive mail through such a letter box, but a sender address is inherently meant to be a valid address through which you can be contacted (among other criteria).

Sender address forgery is not a serious problem with snail mail, but it is with e-mail.  And with e-mail, it is possible to do things that are hardly possible with snail mail, e.g. checking the authenticity of the sender address.  An e-mail's sender address domain should (in this regard) better be compared to the stamp of the post office where the letter was accepted.

> How about if I go into a library in Eau Claire and send an email?  Why
> should I not put my Elmwood address on it?

You may put your Elmwood address into the From: or Reply-To: fields, but should not specify it as the envelope-from.

> Of what possible use to anyone would the address of the machine I sent
> it from be?

If the sender address (envelope-from) of an e-mail was unforgeable (for a given domain), the sender would be guaranteed to have an account at this domain (and be it only to *send* mail), and any abuse could be reliably traced back to the sender's account (not just to the sending host).  That's what address forgers fear.

Reply to: