O'ReillyNet looks into
the lack of adoption of SPF by banks, which, one would think, would welcome some protection against phishing attacks. "Wrong, says AOL's Hutzler. SPF only checks the hidden part of an email message known as the 'Return-Path' (or '821 header'). According to Hutzler, SPF completely ignores the From address (or '822 header,') which is used by phishers to 'social engineer' or dupe naïve recipients.
In other words, the wily phisher can forge the From line and still get past SPF checks--as long as his mail comes from an SPF-compliant domain listed in the Return-Path.
to post comments)