Chronology Current Month Current Thread Current Date
[Year List] [Month List (current year)] [Date Index] [Thread Index] [Thread Prev] [Thread Next] [Date Prev] [Date Next]

Re: virus and/or spam alert

"Dr. John Clement" wrote:

the listserv probably does not use the
return-address for verification.

Yes, strictly speaking there is no such thing as a
"return address". I was using the term metaphorically.

It probably uses the from address.

Yes.

All mailers are required to supply 3 pieces of
information: the from address,
the time stamp, and the to address.

Close, but not strictly true. The To: field may be
omitted if the Bcc: field is present, and the Bcc:
field may be empty. The contents of these header
fields, like all the other header info, is !!not!!
used in routing the messages. SMTP is used to route
the messages; the headers are just part of the payload
as far as SMTP is concerned. Reference:
http://www.ietf.org/rfc/rfc0822.txt (mail headers)
See also:
http://www.ietf.org/rfc/rfc0821.txt (SMTP)

The return address is optional
information and is easily changed in any good mailer.

Again, strictly speaking, there is no such thing as a return
address. There is a Reply-to: field, plus a Sender: field
and various other goodies. Reference: op.cit.

The from address ... not easily changed in regular mailers,

Huh? It's two clicks in the Netscape mailer.

There is a solution to this problem which could be implemented, but probably
is not. The mail client can check to see if the address the mail comes from
matches the claimed from address of the sender.

Sorry, that will never be implemented, for a couple of reasons:

1) It would cause too much collateral damage.
I'm not going to send this message using my monmouth.com
connection. Indeed, AFAIK precisely zero of the thousands of messages
I've sent to this list were sent from monmouth.com, but rather from
research.att.com or comcast.net or jdenker.com or whatever.

Since the dawn of email, it has been considered a feature that
many machines would _forward_ mail that originated on other machines.

2) Also: What you are recording is the IP-address of the
sending machine. On a time-sharing system and/or on a system
that receives its IPaddr dynamically via DHCP, this would provide
very little information about identification.

======================

There are techniques that could be used to ensure authenticity.
For example, in theory, one could require authors to _sign_
their messages using PGP. The listserv would check and require
a valid signature before forwarding.

There are other hypothetical solutions.

Alas none of them are particularly easy to implement.