"John Levine" <johnl(_at_)iecc(_dot_)com> wrote:
Similarly, with ADSP you don't have to rely on published information, and
when information is published, you don't have to guess whether the
publisher is competent. You can maintain your own list of domains that you
trust to get ADSP right, and use standard software to apply that judgement.
Manual drop lists are a fine idea, but what do they have to do with ADSP?
1. Code reuse: Although you may choose to maintain your drop list, you
don't have to write software for your MTA, you can just configure it.
I'm happy to reuse the manual drop code in Spamassassin. I still don't
see what it has to do with ADSP.
2. Discoverability: You can find out from ADSP publications that the sender
cares about this stuff. OK, it's still a leap to add them to your drop
list, but you do at least have somewhere to start.
Here's a thought experiment: let's say you have your list of domains
that are known to be phish targets that sign their mail, so you drop
unsigned mail, and they all happen to publish ADSP. Someone's ADSP
record goes away. Is it more likely that they've stopped signing
their mail, or that their ADSP record is temporarily messed up? Why?
Or, I suspect most likely, they thought they were signing everything and then
later something changed or they discovered they missed a piece of their
infrastructure, so they've retracted the policy until they've corrected the
NOTE WELL: This list operates according to