For those following Sender based authentication - a question

[Benjamin Scott]

On Sun, 21 Nov 2004, at 10:08pm, macfisherman at gmail.com wrote:
> The HELO domain represents the mail provider used by the author of the
> message and thus is more closely related to the author than any other
> header within the message.

  Ehhhhh...

  HELO isn't even a header.  It is an SMTP command verb.  One might be able
to deduce the HELO information from a "Received" header, but I wouldn't bet
on it.

  HELO is issued by the sender-SMTP (AKA client) to identify itself to the
receiver-SMTP (AKA server AKA listener).  All it does is identify the client
for the duration of an SMTP session.  It has *nothing* to do with the mail
being transferred.  Indeed, you can issue a HELO without ever sending a
message, and you can deliver multiple messages in a single SMTP session (all
on the same HELO).

  And, like the rest of Internet email, none of this is authenticated by
default.  The HELO information and the "Received" header are frequently
forged.  HELO doesn't even permit authentication (you need EHLO, to identify
yourself as ESMTP capable, for that).  The HELO information is also
frequently wrong though misconfiguration -- many hosts (especially end-user
submitters) don't even know their own host name.

  Somebody is really far off base here.  :-)

> This is from the CSV doc to the FTC.

  Huh?  "CSV doc to the FTC"?  In my world, FTC is "Federal Trade
Commission", and CSV is "Comma Separated Value".  Given those expansions, I
cannot understand the above sentence.  Please restate it more clearly.

  :-)

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |