[RFCI-Discuss] Yahoo break RFC
jeff_pang at arcor.de
jeff_pang at arcor.de
Mon Oct 29 07:26:22 EDT 2007
Hello,
It's Jeff Pang from China, long time not see you guys.
Ok I sent this message with Arcor email, but this was not the real Arcor, it's from Yahoo's mail server.
The thing let me upset is, Yahoo fake the envelope address.
That's to say,when in smtp session to other MTAs, Yahoo said,
helo abc.mta.yahoo.com
mail from:<abc at gmail.com>
rcpt to:<recipient at domain.com>
You can see,Yahoo doesn't have the privileges to declare it's gmail,but it did.
The same thing happened with this email address of mime, Yahoo declare it's jeff_pang at arcor.com.
Another problem,with faking envelope address, Yahoo has broken the SPF rules.
Arcor has exact SPF records, which surely don't include Yahoo's IPs.
When a server get a message from abc at arcor.de which was faked by Yahoo, the sending IP doesn't belong to
Arcor, how would the recipient server think about? It reject this message or not?
Gmail also supports sending messages with other domains, but it doesn't fake the envolope address. The <return-path> is not changed. Also it add a header of 'Sender:' to declare it's gmail on behavior of other domains. This is good. But Yahoo's...
How about your thought on it? Is this a RFC break? Thanks!
More information about the RFCI-Discuss
mailing list