On 2-Dec-2008, at 20:21, DJ Lucas wrote:
I can find absolutely no reason to inadvertently mislead, or worse,
intentionally deceive the recipient by forging the envelope sender's
address. In fact, the only reason I can see, is to intentionally
deceive the recipient. Is there any other reason?
Sure there is. First off, the envelope from is not FOR the user, it's
for the mailserver. This address should always be where the
'physical' delivery of the message is originating. The From header is
the PERSON that initiated the message. These are often the same, but
not always.
A perfect example is my mom sends out electronic cards from Jacquie
Lawson<1> which arrive with headers like this:
Return-Path: <[EMAIL PROTECTED]>
Received: from iport3.jacquielawson.com (iport3.jacquielawson.com
[64.14.122.52])
by mail.covisp.net (Postfix) with ESMTP id D4AD9118B83F
for <[EMAIL PROTECTED]>; Thu, 27 Nov 2008 02:27:05 -0700 (MST)
Date: Thu, 27 Nov 2008 04:27:02 -0500
X-AG-MIPS: ag867
Sender: <[EMAIL PROTECTED]>
From: **my mom**
This is perfectly OK. In fact, this is exactly how this should be
handled. This method is also used when someone is sending, for
example, a petition request where they've 'signed' and want to let
others know to sign also. Many pages (particularly political ones)
have these sorts of "tell your friends" links and they to will use the
person's email/name as the from and their own server info for the
envelope. I would be far more likely to take a look at the FROM_ and
compare it to the Received header than with the From: header, as I
think that is far more likely to spot spam.
Extending this to a physical letter situation it would be like Barack
Obama's campaign sending me a letter that was signed by, say, my mom.
She wrote the letter and signed it, but the campaign office mailed it
in their own envelope. Seems fine to me.
If they don't like my policy, they can find another place to put
their mail. Others may not be lucky enough to be able to enforce
such a policy, as the counter argument would be to find a less rigid
admin. ;-) What is 'acceptable' has to be determined on a site by
site basis. If it works for this site...great! If it doesn't, then
get rid of it.
Just so you know that there are common and legitimate uses for this,
and that you will lose valid emails that, presumably, your users
actually want. And if you are rejecting them, do your users know they
are missing those emails? I mean, are they informed enough that they
can make a real choice about getting MOST of their email from you or
getting ALL of their email from someone else?
<1> I have no connection with Jacquie Lawson. I'm not even a
customer, I am merely a recipient. I do like the cards though.
--
<[TN]FBMachine> i got kicked out of Barnes and Noble once for
moving all the bibles into the fiction section
