> Does that mean you sent the email from the @gmail.com address, but > because you happened to be logged in with the @twopif.net address > Google took it upon themselves to change the from address? I wouldn't > like that: it is not up to the email provider to choose which of my > email addresses I expose to which contacts.
I mean that I connect to Google's SMTP server with Thunderbird using the "lach...@twopif.net" login details, but configure the account's email address to be lachlan.g...@gmail.com, so that From: and MAIL FROM are both @gmail. > Rejecting with a clear message indicating the reason makes more sense > to me. Yes, however I expect that they decided that it would generate too much confusion if people who mis-spelt their email address slightly were unable to send mail. > Even if they have such measures in place, the account may have extra > addresses or aliases configured to send messages (GMX, Gmail, Yahoo, > Riesup all allow this in slightly differing forms). Presumably a > signature from a provider that allows this would have lower value than > one from a provider that does not, but higher valve than one from a > provider who was not known to have anti-spoofing measures in place? I'm not sure exactly what you mean, but I don't think the existence of such aliases is a problem---unless I misunderstand, ultimately the sender still controls the alias, and it is no different from any other email address in that respect. > In that case, what attacks involving reply-to are you wishing to > protect against? The main thing is to prevent things like putting request@roboca into the to: field in a mass email and then bank on someone hitting reply-to-all, or by putting it into Reply-To. Checking the subject line seems fairly reasonable, and requiring an email in response to one the CA---In-Reply-To is signed in my test messages, you can use a signature as the message ID---ought to make things more difficult for anyone but the CA. Thanks, Lachlan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
