[ih] Design choices in SMTP (custom emails per recipient)

Jack Haverty jack at 3kitty.org
Thu Feb 9 19:08:40 PST 2023 

 From the source of the message you just sent:

=================

Reply-To:dcrocker at bbiw.net
Subject: Re: [ih] Design choices in SMTP (custom emails per recipient)
To: Jack Haverty<jack at 3kitty.org>
From: Dave Crocker<dhc at dcrocker.net>

=========================

So you're saying that as a simple-minded mail user today, I should:
- ignore the "Dave Crocker" that appears in my Inbox, since it might be 
forged
- ignore the fact that I received this message from "Dave Crocker" 
rather than the preceding ones that were from "Dave Crocker via 
Internet-history" (I know the list tries to suppress duplicates)
- somehow notice and remember that "dhc at crocker.net", which my mail 
program (Thunderbird) doesn't even normally display, is actually the 
person I've known for decades
- not be concerned that "dcrocker at bbiw.net" might not be the same person 
to get this reply.

Seems like a pretty poor UX design, IMHO.

Jack


On 2/9/23 13:27, Dave Crocker wrote:
> On 2/9/2023 1:03 PM, Jack Haverty via Internet-history wrote:
>> I remember that hack.  You could send email posing as anyone you 
>> liked, by just putting whatever you wanted into the From: header 
>> field.   It drove me crazy trying to get my mail server, which tried 
>> to parse and verify those fields, to deal with all the poetry people 
>> put into email headers.
>>
>> Sadly, it's not just a problem of the ancient 1970s/80s.  I regularly 
>> receive emails now, in 2023, which look like I sent them.   I can 
>> recognize them as phishing blackmail, but I suspect many people 
>> cannot tell that they're forged. 
>
> Note:
>
>  1. The content From: header field has 3 components:  Free-form
>     display 'name', author mailbox, and author domain.
>  2. There is a continuing constituency of anti-abuse folk who want to
>     find a way to restrict the 'abuses' of the display-name.  They
>     have never come up with anything that has any hope of doing a
>     generally useful job.  Some sites, however, do reject or sideline
>     mail that has a display-name with the syntax of an email address.
>  3. There is literally no empirical evidence that any of this affects
>     recipient behavior.  Users are primarily affect by the actual
>     content, not the From field.
>
> DMARC was created to prevent spoofing the From: field domain name. 
> It's effective, but created serious collateral damage for mail going 
> through alias forwarders and mailing lists. Among the anti-abuse 
> community, people are quite cavalier about the collateral damage.
>
> In response to the damage, it is common for mailing lists to now 
> recast the From field, along the lines of what this list does:  They 
> replace the From: field with the address of the mailing list, recase 
> display-name to annotate that they've messed with the field, and set 
> Reply-To: to be the author's address.  The irony is that this is now 
> an accepted means of bypassing DMARC protection.
>
> In architectural terms, this has turned the From: field pretty much 
> into what was (and is) originally the semantics of the Sender: field.
>
> In response, I recently did RFC 9057, Email Author Header Field, to 
> provide a place for unmodified author information. While I'm amused to 
> see exactly three people are sending mail to my inbox using that 
> field, I believe it has, so far, had virtually no uptake.
>
> d/
>
> -- 
> Dave Crocker
> Brandenburg InternetWorking
> bbiw.net
> mast:@dcrocker at mastodon.social

More information about the Internet-history mailing list