On 2007-02-07, Jason R. Mastaler <[EMAIL PROTECTED]> wrote: > Tim Rice <[EMAIL PROTECTED]> writes: > >> The test I did just after Jason's post would indicate that there is >> no difference. :-( >> >> I too use SPF but it looks like it only addresses the from address in >> the envelope not the "From:" header. >> >> So my question might be, since From: & Reply-To: are so trivialy forged >> why do we trust it? > > The envelope sender address is just as easily forged as From and > Reply-To. In most cases, the envelope sender address is the same as > the one in From.
I use SPF, too. IMHO, it's not widely deployed enough to protect the envelope sender. Which means that 99% of legit email addresses in my whitelists can be forged through the envelope sender just as easily as From: or Reply-To:. For the other 1% SPF doesn't always help. I have spam in my pending list that has a "Received-SPF: pass" header. I get spam from valid SPF sites. If I had SPF alone, they'd get into my mailbox. For me, the purpose of SPF isn't to block spam, although it helps to do that. It's purpose is to lower the incidence of my sending a confirmation to an innocent joe-job victim. Back to the subject at hand: I have not seen forging of whitelist email addresses to be a source of *any* spam that I've received. So, whether the forged address is in the Reply-To: or From: or envelope sender has made no difference from my perspective. Are other seeing differently? If this is a problem that's showing up in the wild, I can see the justification for making some kind of code change to address it. But if it's not actually out there yet, what's the point? Sure it's a theoretical hole, but it seems a rather impractical to exploit. If someone has done it, then it's worth looking into solving. So, has anyone seen this? I sure haven't. _________________________________________________ tmda-workers mailing list ([email protected]) http://tmda.net/lists/listinfo/tmda-workers
