Hans Dieter Pearcey wrote:
If you are relying on From (or Sender) headers for access control, you have
already lost. Almost every part of the email header and SMTP transaction can
be faked by a malicious user.
Depends on what you mean by access control. I can easily see where you'd
want to use it as part of your spam filtering, which might be considered
a soft authentication. For example, I've seen spam with a pattern like this:
From: phishsch...@somebankorother <botinfec...@legitisp>
I'm guessing the use of the infected user's real address (or at least
one that's not likely to be blacklisted) gets the thing through the
infected user's ISP, and then (so the phisher hopes) the recipient only
sees the "comment" and assumes it's the actual source.
You'd still want E::A to parse it properly, if only so you can test for
"If the comment is a valid email address, but doesn't match the
bracketed email address, it's spam."