Terry Fielder wrote:
William Leibzon wrote:
You should not query different identities on the same reputation
service, I believe that is a possibility for unpredictable and
incorrect results and reputation systems must be setup for each
specific identity in question.
William is right. You should not confuse "example.com-the-HELO-domain"
with "example.com-the-MAILFROM-domain".
You should not query "mailsenders.reputation-provider.com" for HELO
identities or "mtas.reputation-provider.com" for MAIL FROM identities.
I disagree, a domain may authorize RELAY.com to relay his email. But if
RELAY.com is notoroious for sending spam (from his other customers he
relays for), then when I check the HELO name I may want to reject the
mail from RELAY.com because of his bad spamming reputation even if the
"MAIL FROM" domain is SPF PASS for said relay.
Well, this scenario is actually one of the strengths of SPF (and other
sender domain authentication methods). Even if relay.com sends a lot of
spam, if you _do_ trust them to prevent cross-user forgery[1], you may be
able to still successfully get your own legitimate mail through, because
receivers don't necessarily have to block on the relay.com MTA IP address
any more, but can assess reputation on a per-domain basis instead.
References:
1.
http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-01.html#cross-user-forgery
pgpxl3VPu087w.pgp
Description: PGP signature