Hi,
----- Original Message -----
From: "Paul Schinder" <[EMAIL PROTECTED]>
> >Maybe one way to deal with this is:
> >1. verify that the domain of MAIL FROM is correct
> >2. verify that the address of the server sending the mail
> > resolves to that domain...
>
> That's not a good idea at all. It defeats the entire purpose of a
> mail redirection service like pobox. I use my @pobox.com address on
> all sorts of mail, but I've *never* used pobox's servers to send out.
> The mail goes out through a variety of routes. All of the machines I
> send out from have resolvable IP's, but none of them are in pobox's
> domain.
Well I am certainly not saying that this should be done for all domains. But
for some sensitive ones (yahoo ? hotmail ? aol ?), it would probably be
worth while. Also remember that the "MAIL FROM" may not the same thing as
the "reply-to". If you are using this ISP's mail relay, then it is likely
because you have a user account with that ISP. Nothing prevents you to
advertise the e-mail address associated with that user account in the MAIL
FROM, nothing prevents you to advertise your "official" email address in the
reply-to header.
This amounts to enforcing stricter relay servers: should a server relay mail
if the address presented in MAIL FROM does not belong to one of its domains
(in addition to does it come from one of the "local" computers, etc.) ?
The method I am proposing is still more permissive than blocking mail from
servers based on them being listed in ORBS or DUL. Again, I don't advocate
on doing that for all servers, but just for the domains the most likely to
be used for fake email addresses.
Patrick.
