--On 27 January 2009 17:34:41 -0600 Gordon Peterson <gep2(_at_)terabites(_dot_)com>
wrote:
> The reason that SPF is here to stay is that it is good enough
authentication for most of the mail that most receivers and senders care
the most about.
With all due respect, that's kind of like saying that you've developed an
airplane which will get the passengers there for 95 (or even 99) flights
out of a hundred...!
The fact that SPF screws up on so many ENTIRELY ANTICIPATED AND
LEGIITIMATE cases, IMHO, makes it not viable, even though it works for
SOME mails, MOST of the time.
Personally, I *strongly* believe that the best approach requires a mix of
techniques, including (again) a combination of:
1) fine-grained content criteria based upon the sender/recipient
duple;
2) a suitably restrictive default policy to apply to senders
previously unknown (or untrusted) to the indicated intended recipient;
3) following THOSE techniques, which by default will block virtually
all worms/viruses and other evasions, then use SpamAssassin or similar to
analyze the actual content of the message (which, after
scripting/HTML/attachments/ActiveX and so forth are out of the equation)
can probably do a pretty good job.
4) additional optional content tests for familiar senders (familiar
mastheads, sig files, or other familiar-looking authenticating content
that recipient expects in mail from that sender).
If implemented intelligently, I believe this will provide the MOST
safety, the FEWEST false positives, and give the recipient (the one who
counts the most) the best feeling of control over their Inbox.
With all due respect, that's kind of like saying that you've developed an
airplane which will get the passengers there for 95 (or even 99) flights
out of a hundred...! Only this time, the airplane was designed by Heath
Robinson or Rube Goldberg.
--
Ian Eiloart
IT Services, University of Sussex
x3148
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg