Authentication proves NOTHING regarding legitimacy because a
zombie spambot can
trivially send what it sends using the authentication
belonging to the hijacked
system.
This is not true unless you insist on the myopic strategy of examining each
email independently with no ability to save state.
A long time ago it was fashionable to study 'game theory', in particular the
prisoner's dilema games that Axelrod used as a model for mutually assured
destruction strategy. The point missed by most (but not all) researchers
that continued after Axelrod was that in any situation other than nuclear
deterence the game is played repeatedly. Once the participants know that it
will be repeated their behaviors change and they no longer end up opting for
the worst case scenario every time.
It is the same here, if you have ONLY the email streams and NO external
accreditation data then you can soon start to identify patterns such as
'mail from example.com is consistently legitimate'. This is almost certainly
how most of the spam filtering vendors use SPF data today.
The disadvantage to this scheme is that it depends on having previously
established a reputation. There is no way to break in unless a door is left
for the spammers.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg