Re: Forged FROM addresses/non-disclosed info in Outlook can lead to potential serious Social Attack

[Neil W Rickert <rickert+bt () cs niu edu>]

David Walker <bugtraq () grax com> wrote:

> One of the issues bothering me is the fact that mail servers will accept what 
> you tell them meaning that I can easily send mail pretending to be from any 
> domain.  I propose that a new type of dns entry be created for authorized 
> outgoing mail servers.  Mail servers will be able to discover if the IP 
> address connected to them is authorized to send mail for that domain and 
> either deny the message or add a warning to it.

This is an very bad idea.  It is often suggested, perhaps as a
reaction to the amount of email abuse (mostly spam).

No new DNS record is required for this.  We already know the
answer.  Every mail server is entitled to send mail with any valid
email address.

Email is a system that depends on relaying and forwarding.  The
sender address is properly associated with the human sender of the
mail, not with the particular IP address of a machine through which
it passes on its route.

The fallacy of the proposal is based on the mistaken notion that an
email address is the property of the computer from which it is
received.  However, an email address is more properly that of a
person, or perhaps a person acting in a particular capacity.  Such a
person is entitled to use that email address whether at the office,
or working at home, or on a business trip using a laptop, or sending
from another computer made available to him.

Yes, email addresses are forged.  This is a social problem.  A poorly
thought out quick-and-dirty fix will not correct this social
problem.  It will cause serious damage to the email system and the
current ways it is used.

 -NWR