TV> Date: Fri, 4 Feb 2005 09:53:07 -0500 (EST) TV> From: Todd Vierling TV> The only way to be sure is via cryptographic signature. Barring that level False. You imply that a crypto signature is a perfect guarantee, and that nothing else can provide equal assurance. TV> of immediate traceability, SPF provides a very useful data point to that TV> end (as its *only* purpose is curbing forgery). SPF says "mail from this domain should only come from these MXes". It doesn't stop someone from forging a random @domain.tld address from an SPF-blessed Everquick MX. Now, let's say it's known that Everquick MXes authenticate users and only allow whitelisted "From: " email addresses. Step 1: SPF [or similar/better] confirms that the MX is allowed to send email on behalf of the claimed sender address. Discard message if it comes from a bogus MX. Step 2: The MX confirms that the user was authorized to use the claimed sender address. The message would never have been transmitted had the user not authenticated with the trusted MX. Please explain how the "trust chain" does not verify the sending user. "Malware will steal username/password" is not a valid answer, as the same can apply equally to crypto keys. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.