To: drums@cs.utk.edu
Subject: Re: What's the Sender header for? 
In-Reply-To: Your message of "Tue, 10 Oct 1995 14:14:22 EST."
             <9510101914.AA18082@dogie.macc.wisc.edu> 
Date: Wed, 11 Oct 1995 05:35:46 +1000
Message-Id: <24263.813353746@munnari.OZ.AU>
From: Robert Elz <kre@munnari.oz.au>


    of what use is the kre@munnari.oz.au information to me?

Two things.   First, it tells you which particular person was
playing at being postmaster at the time, [which is really just
a literal answer to the question you asked - that need not be
done witha Sender header], and second, and more importantly,
it tells you who my mailer believes really sent the mail.

I know that "postmaster@munnari.oz.au" and "kre@munnari.oz.au"
are close enough to the same thing (the former is actually a
superset of the latter), but unless you're willing to trust
my word, you don't - nor does my mailer (I don't actually send
these messages from munnari, sometimes they never go near munnari)

I could just as easily stick "From: Eric Norman <ejnorman@macc.wisc.edu>"
in the messages I send.

I know this is totally pathetic as a security measure, if I really
wanted to forge a message from you, there's no way I would be
sending it via a mailer that added Sender headers, but when
defeating deliberate forgery is not the aim, the Sender header
does add useful extra information, provided the mailers implement
it sanely.

As to what is a "real" address, yes, that is hard as a concept.
I'd prefer to think of it as "validated address" but without the
sucurity overtones that carries.   That is, the mailer should be
taking some trouble to attempt to insert there the address of the
individual (entity, or program) that really caused the mail to
be sent.  The From: header on the other hand, is really little
more than a comment header with syntax rules.

kre