How to detect forged From and Reply-to addresses from your
own domain
Glenn Steen
glenn.steen at gmail.com
Mon Mar 8 15:52:05 GMT 2010
On 7 March 2010 19:03, Mark Sapiro <mark at msapiro.net> wrote:
> On 11:59 AM, Mogens Melander wrote:
>>
>> On Sat, March 6, 2010 18:19, Mark Sapiro wrote:
> [...]
>>>
>>> For drawbacks to Jules' suggestion (possibly to the whole idea),
>>> consider the following:
>>>
>>> You are my employer.
>>>
>>> I set up a pop3 or imap account on my MUA at home to access my work mail.
>>>
>>> My ISP redirects all port 25 connects to its own servers so even if I
>>> know what I'm doing, I can't use your MTA for my outgoing mail for this
>>> account.
>>>
>>> Now, all my replies from home to my co-workers will be seen as spam
>>> because they are From: my work address, but the sending MTA is my home ISP.
>>>
>>> The same problem exists if SPF is used.
>>
>> In that case, either bitch at your ISP, or set up a web-mail.
>>
>> I've been using squirrelmail for years for the same reasons.
>
> And Alex Neuman wrote:
>>
>> That would be why I always enable 587 (MSA) with auth, or 465 (SMTPS)
>> on my MTA's.
>
>
> I understand all those things, but that is not my point. I am not a
> typical user. Typical users in most environments don't understand those
> things.
>
> What do you say when the PHB is on the phone and wants to know why *his*
> boss is saying he didn't receive the monthly status report that the PHB
> knows he emailed from home the evening before it was due.
>
> And yes, even this can possibly be avoided with sufficient
> documentation, training and support, but this is a cost that should be
> factored in.
>
Your situation may differ much from mine, but ... most PHBs actually
can take well-built technical argumentation.... If you say "don't do
stupid things" in the right way, there simply is no issue;-).
Getting (company) control over who sends what as whom is something a
PHB would find attractive, in my experience (even when it
"backfires":-), and especially if there are simple countermeasures
(like providing authenticated SMTP services, as suggested by Alex...
Or a VPN and/or webmail solution that circumvents the entire problem).
The argument that joe-dough-email-admin *may* do a bad setup/design
simply will not bear scrutiny... *We* can't take responsibility for
bad email management by users of neither MTAs nor MailScanner... Never
have, never will;-). I certainly will not take responsibility for any
errors you make, nor would I expect you to shoulder my
shortcomings...;).
>From the ISP perspective... I suspect one simply cannot employ
something like this, other than for customers that actually buy that
type of service from you. A simple question of responsibilities:).
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list