Re: Review process improvements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 22, 2021 at 11:42:02AM -0800, Junio C Hamano wrote:
> > This would require pretending that we're authorized to send mail from the
> > domain name of the commit author, so this unfortunately won't work (and hence
> > the reason why GGG does it this way). E.g. say you have:
> >
> > From: foo@xxxxxxxxxx
> > Subject: [PATCH] Fix foo
> 
> Would it help to use "Sender:"?  When GGG or any other automation
> are trying to send e-mail on behalf of the person shown on "From:",
> I thought that it is the mechanism for them to use to identify
> themselves.

Indeed, that's how the DKIM standard wanted to deal with this problem, however
when the DMARC RFC was being drafted, this approach was deemed insufficient.
They have a good explanation for it -- there is no standard among UI clients
to handle the Sender/From discrepancy. Most MUAs will happily ignore the
Sender: field and will only show what is in From:, so this approach was
considered ineffective against phishing attacks. An attacker could easily
register a domain, set DKIM records, and then use any From: they wanted as
long as they used a valid Sender: header, knowing that it would be ignored by
most mail clients.

So, DMARC deliberately ignores the Sender: header and *only* pays attention to
the From: field for its purpose.

-K



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux