Hans Dieter Pearcey wrote:
I mean what the OP said he was using it for: running various commands when messages are received.
But that can be something as soft as (as it turned out), a mailing list response. Which was actually *my* first thought (unsurprisingly).
I'm not talking about whether or not this is a bug in E::A; I'm addressing the design (flaws) of using E::A specifically and From header parsing generally to do this kind of authentication.
I figure using it for authentication is just fine. It's how much authorization you credit to that sort of authorization that matters.
I had, to be honest, figured by the time we got this grossly into the future (thank you, SpamAssassin), we'd be seeing spambots smart enough to recognize mailing lists, and to match up incoming "From" addresses with the mailing list address to successfully forge from-a-subscriber mails. But we haven't, which probably says more about the decline of mailing lists than about the sophistication of spammers, so it's still fairly safe to trust a From line that you recognize. At least, given some other basic spam filtering has taken place.