> The reason that SPF is here to stay is that it is good enough
authentication for most of the mail that most receivers and senders care
the most about.
With all due respect, that's kind of like saying that you've developed
an airplane which will get the passengers there for 95 (or even 99)
flights out of a hundred...!
The fact that SPF screws up on so many ENTIRELY ANTICIPATED AND
LEGIITIMATE cases, IMHO, makes it not viable, even though it works for
SOME mails, MOST of the time.
Personally, I *strongly* believe that the best approach requires a mix
of techniques, including (again) a combination of:
1) fine-grained content criteria based upon the sender/recipient duple;
2) a suitably restrictive default policy to apply to senders
previously unknown (or untrusted) to the indicated intended recipient;
3) following THOSE techniques, which by default will block virtually
all worms/viruses and other evasions, then use SpamAssassin or similar
to analyze the actual content of the message (which, after
scripting/HTML/attachments/ActiveX and so forth are out of the equation)
can probably do a pretty good job.
4) additional optional content tests for familiar senders (familiar
mastheads, sig files, or other familiar-looking authenticating content
that recipient expects in mail from that sender).
If implemented intelligently, I believe this will provide the MOST
safety, the FEWEST false positives, and give the recipient (the one who
counts the most) the best feeling of control over their Inbox.
--
Gordon Peterson II
http://personal.terabites.com
1977-2007: Thirty year anniversary of local area networking
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg