Ted Cabeen <secabeen(_at_)pobox(_dot_)com>:
One interesting possibility here is a spam-domain list with
the following properties:
1. Updated by automatic feeds from spam-traps.
2. Entries age. Their expiry clock is reset when they're queried.
3. After a timeout period with no queries, the record expires.
Expiry is important because we don't want every domain name ised as
a throwaway to be poisoned forever.
The problem with this is how do you reliably determine what domain the
email is actually coming from? If the spammers can find some way to
get amazon.com into the spam-domain list, they'll put it there in
order to make the list useless. IP address blacklists can be fed by
spamtraps because forging the IP in a functional connection is
difficult. Domain names can easily be forged, either in the message
headers, SMTP commands or reverse DNS entries. We can use linked
forward and reverse DNS mappings to confirm identity, but spammers
will just not publish reverse DNS for their IPs.
Well, if the IP coming into the spamtrap isn't an authorized sender
for the domain you pull out, you don't log it. So if Joe Spammer
wants to get Amazon into the BL, he has to do it with one of Amazon's
own machines :-).
Sorry, I thought this was obvious. The bind we can set up, given widely
deployed SPF, is that
(a) If a spammer spews with an IP/domain combination that doesn't match,
he loses -- the BL's spam traps ignore him, but all SPF-aware MTAs send
the mail to /dev/null.
(b) If a spammer spews with an IP/domain combination that *does* match,
SPF-aware mailers won't bin his stuff, but spam traps catch it and
the BL eats his his domain.
So a two-layer check should work pretty well.
--
<a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡