RE: recent spam to this list
John Hasler wrote:
> Julian Mehnle writes:
> > It does very well make sense to specify a "sender address" for an
> > e-mail, and that's exactly what the SMTP "MAIL FROM" command AKA
> > envelope-from (and the "Sender:" header) is meant to be. Even RFCs
> > (2)821 and (2)822 articulate it that way. Nowhere do these RFCs state
> > that the envelope-from can or should be used for status reporting
> > *only*, do they?
> If I go to Eau Claire and drop a letter in a letter box am I required to
> put the address of the box on the letter?
No, but this again is one of these broken "e-mail vs. real world" analogies. You can't receive mail through such a letter box, but a sender address is inherently meant to be a valid address through which you can be contacted (among other criteria).
Sender address forgery is not a serious problem with snail mail, but it is with e-mail. And with e-mail, it is possible to do things that are hardly possible with snail mail, e.g. checking the authenticity of the sender address. An e-mail's sender address domain should (in this regard) better be compared to the stamp of the post office where the letter was accepted.
> How about if I go into a library in Eau Claire and send an email? Why
> should I not put my Elmwood address on it?
You may put your Elmwood address into the From: or Reply-To: fields, but should not specify it as the envelope-from.
> Of what possible use to anyone would the address of the machine I sent
> it from be?
If the sender address (envelope-from) of an e-mail was unforgeable (for a given domain), the sender would be guaranteed to have an account at this domain (and be it only to *send* mail), and any abuse could be reliably traced back to the sender's account (not just to the sending host). That's what address forgers fear.