[mail-vet-discuss] what's the purpose of A-R?

[John L]

> In other words, if you have a gmail account and a yahoo account, there
> is no reason to believe that either gmail or yahoo will see the other's
> messages unless you are forwarding one to the other.

Well, duh.  That's why you can only believe a gmail AR header from the 
gmail account, and a yahoo header from a yahoo account unless you know 
enough about the paths between them to know what's a real forward and what 
isn't.  If you have a third mailbox that doesn't do AR at all, you 
probably need to ignore all the headers that account might send you, 
gmail, yahoo, or otherwise.  That's why I've been saying over and over and 
over that an AR message is only credible if it arrived via a good path. 
Tying the header name to the account is one way to do that BUT NOT THE 
ONLY WAY, and in setups more complicated than your end user sitting at the 
end of a VPN to HQ, often not even a feasible way.

> To remedy that situation you have to leave a gaping security hole for 
> all others.

Sigh.  Only if everyone involved are complete idiots.  We seem to have 
dealt adequately with the problem of forged received headers.  Why do you 
insist that the same people who can do that can't deal with forged AR 
headers?

> Because it can do harm if done wrong.  Providing a false sense of
> security is not helpful.

I guess I hold people in less contempt than you do.

If I sound extremely frustrated, it's because I am.  Your argument boils 
down to saying that since everyone else isn't as smart as you are and 
their mail setup is more complicated than yours, it's too dangerous to 
give them better tools.

R's,
John