While both the MAIL FROM and the From: can of course be forged by
spammers, you are right that the MAIL FROM is more difficult to forge
from a properly configured email server.
But it is more difficult for end users to act on the MAIL FROM as it is
not visible normally.
In our own systems, we have opted for a solution that if a person
decides to either 'blacklist' or 'whitelist', that we allow it to take
affect at both levels, but we do it in the sense of 'Block Sender'.
Now, as Brandon pointed out, a lot of the spam will come from obfuscated
MAIL FROM's, and in some cases some bulk emailers intentionally tend to
use a similar pattern for ALL email, no matter who the sender, and in
the case of Gmail with resources to burn, it isn't about performance
(less of a need to block during the SMTP transaction, and can be dealt
with later in the filtering levels), so the idea of blocking based on
what is 'visible', for end users it makes sense probably. Only problem
is that it doesn't help when you get emails from the same sender, with
randomized From addresses, or those spammers who forge someone who's
address you are familiar with..
Eg.. your bank ;)
However, since the idea of having a blacklist/whitelist at the user
level is normally a 'last resort', after all other efforts at spam
protection have been exhausted, and especially since Gmail isn't in the
customer support business, making clear and simple to understand methods
rather than technically perfect methods, will reduce customer frustrations.
"I never want to 'SEE' an email which is indicated that it is from this
person/domain again"
However, having said all that, I feel for you, and personally would like
to see more ESP's using the real originating email in the email MAIL
FROM, rather than all emails' coming out as "bou...@espname.com", in a
perfect world. In that case, blacklisting both would have more value.
But maybe Gmail needs an advanced option, for the more tech savvy
individuals, who wish to expressly block based on the address used in
the MAIL FROM. (eg, maybe I want to block everything from @espname.com,
no matter what the From: appears to be)
For instance, one of the most requested questions we have on one of our
spam products, "How do I block all emails from .top domains". Now, of
course we would be loathe to simply say anything from one registrar is
bad, for a tech savvy end user, that could be "his choice" to do at the
MAIL FROM: level but then again, it could end up being a support
headache, and even then can be forged.
But in the end, there are always more tools that a tech savvy person
could use, but in Gmails' case you can understand a one-size fits all
model is much easier to maintain.
So, as Brandon pointed out, in the odd case where the MAIL FROM is real,
and the From: is faked, eg in the example of a compromised email account
being used to appear to send as @fedex.com, something you don't want to
blacklist, even if you did block the MAIL FROM, it would be
whack-a-mole, as another address would be used next time. So, unless it
is to choose to block all email from some large provider.... there might
be more efficient ways..
By reporting 'as spam', you help the overall system stop that type of
spam in the future.
Just my 2 bits to start 2017..
On 17-01-04 09:50 AM, Brandon Long via mailop wrote:
This seems like an odd place to raise this, but ok.
Yes, the blocked sender could be applied to both, I'm not sure if/why it
wasn't done that way.
That said, I actually think if you're going to check one, then it's the
RFC5322.From address which is the more logical choice. It's also the
more user visible choice.
In many instances, messages are sent with VERP like RFC5321.From
addresses, in the case of most mailing list software and commercial
marketing mail, not to mention several forwarding systems.
In the case of spam, I imagine that both the RFC5322.From and
RFC5321.From are highly variable, we don't expect blocked senders to be
used for the type of spam which mutates in an attempt to evade spam
filters. In general, playing whack-a-mole using filters or blocked
senders for the worst type of spam is a fool's errand, you're much
better off using the report spam feature and letting our systems handle it.
As for the case where you only want to block the RFC5321.From and not
the RFC5322.From, making the user have to choose which of the addresses
to block seems poor, and blocking the RFC5321.From only seems unlikely
to make sense to users either.
Brandon
On Wed, Jan 4, 2017 at 3:30 AM, Richard Gilbert
<r.gilb...@sheffield.ac.uk <mailto:r.gilb...@sheffield.ac.uk>> wrote:
I have become aware that the Google blocked senders list is only
applied to the From: address, and that we cannot use it to block an
envelope sender address. Is it just me who finds this surprising
(especially given its name)? Why not check both? It seems illogical
to accept a message from an envelope sender address which is in the
list. Am I wrong in thinking that in the case of spam the From:
address is more variable than the envelope sender? There will be
cases where we want to block an envelope sender address but unable to
block the (different) From: address because it is used by legitimate
mail.
--
Richard Gilbert
Corporate Information and Computing Services
University of Sheffield, Sheffield, S10 2FN, UK
Phone: +44 114 222 3028 <tel:%2B44%20114%20222%203028>
_______________________________________________
mailop mailing list
mailop@mailop.org <mailto:mailop@mailop.org>
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
<https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
