-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Tuesday 2 August 2016 at 2:32:17 AM, in <mid:31f732aa-defe-23a0-9e66-15fa057d5...@twopif.net>, Lachlan Gunn wrote: > 2. With Gmail at least, the From seems to be > replaced with the account > that I log in from, yielding the following > (lach...@twopif.net is a > Google Apps address): > From: Lachlan Gunn <lach...@twopif.net> > X-Google-Original-From: Lachlan Gunn > <lachlan.g...@gmail.com> Does that mean you sent the email from the @gmail.com address, but because you happened to be logged in with the @twopif.net address Google took it upon themselves to change the from address? I wouldn't like that: it is not up to the email provider to choose which of my email addresses I expose to which contacts. > I would have thought that any sane MTA would do > either this or outright > reject such an email, but maybe I'm overoptimistic. Rejecting with a clear message indicating the reason makes more sense to me. > This is why I meant > that whitelisting might be a good idea---if it is > known that they have > anti-spoofing measures in place then their signature > has value, if not > then no. Even if they have such measures in place, the account may have extra addresses or aliases configured to send messages (GMX, Gmail, Yahoo, Riesup all allow this in slightly differing forms). Presumably a signature from a provider that allows this would have lower value than one from a provider that does not, but higher valve than one from a provider who was not known to have anti-spoofing measures in place? > I guess I should clarify this to mean that the > subject would have to be > "VALIDATE-EMAIL-F3E3..." without any other text > around it. Dashes are > there so that misleading spacing cannot be > canonicalised away. Subject > lines wouldn't ever be changed and expected to > remain valid, because the > process would be "Send a blank email with the > subject line > "VALIDATE-EMAIL-<your fingerprint>". In that case, what attacks involving reply-to are you wishing to protect against? - -- Best regards MFPA <mailto:2014-667rhzu3dc-lists-gro...@riseup.net> A nod is as good as a wink to a blind bat! -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXoGnyXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwBRcH/33cCcYFBvBYKcvqAkDHjyzp EWkNZ+LDRDo6Fj8CXkvbFOyvd7f48OMPe2GDBeuS5wCIC2NmnzrdjkYs5O7npp6X YY7H9tbM4E1dq6SW0YHJyQCHphUTZZHMIsWbaumlKTCdPDvSzLeL75oOTO6L9aoI PFAyMNUT56pFVQmA+lMO1kTsTi+B9Dl8ZnKULczpdnmqukqAhmxEflBjhWDNm1JM jlkPQ4kwaDh6zrVo7/Id94wIaEEagGG1cTFbe5rn0DhDtJh0wVvv8bH7wIW3jbTs bQCp3xsfGtqMds7tJ89LL3Vo6uCwIf+ovJ6qApW3gdp9P6+kdOFDl2mO0EtdaxuI vgQBFgoAZgUCV6Bp8l8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45F4kAP95nRhcsrRx1oeLbswMcoUanhFO KjiyY43lnLA0jyHf0wD/egCqkI+8woiZc3UssntGQQw8jxPPixoVbZhTGOjNUw8= =R+Vw -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
