1
SM V16.3.6585 - Changed: Trusted senders now only evaluates the Return-Path header.
Question asked by Douglas Brantley - 1/22/2018 at 1:46 PM
Answered
We are curious about the change: 
 
    Trusted senders now only evaluates the Return-Path header.
 
Why was the change initiated?

2 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post Marked As Answer
We've since slightly rolled that change back, however won't be until out next minor.
 
    Only trusted contacts will look at just the Return-Path header. When you use something like SPF, we can guarantee the Return-Path is not spoofed. Many mobile phones through various protocols will add the local user to the contacts list, there also common email addresses one might have in their contacts, admin@domain.com, support@domain.com, etc. Since what is in a contact list could potentially be predicable, spammers can try to utilize these addresses to bypass spam checks, something they can't do if we only use ReturnPath and SPF together.
 
    The other sources of trusted senders, from the user's trusted sender list, the domain's, or even the system's will still continue using Return-Path, From, and Reply-To just as they were before.
 
So the new changes that have not rolled out yet, will now only apply to Contacts.
 
Hopefully this clears up any confusion.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
Matt Petty Replied
Employee Post
TL;DR to prevent spam utilizing a user's contact list and a spoofed From + a return path which doesn't valid SPF from bypassing spam checks and being delivered to the user without question.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Reply to Thread