-----Original Message-----
From: Matt Sergeant [mailto:msergeant(_at_)messagelabs(_dot_)com]
It would do the job 'better' in the same sense that a fully
armoured
tank would do the job of getting to work safely 'better'.
OK, so we've established that:
1) Caller-ID authenticates "GOOD EMAIL". Effectively a whitelisting
technique.
2) Caller-ID is better at this than S/MIME or TLS because
it's easier to setup and administer.
This is useful to know your positioning on Caller-ID. Let me
know if the
above is way off base.
I think that is a reasonable characterization, although in the
interests of precision I avoid the use of the word 'better'
without qualification since that is a subjective value judgement.
One of the hard lessons of the last few years has been that
'better' security may mean something that is easier to
break but more acceptable to the user and administrators.
Its kinda like the WAF in home theatre.
Anything where a spammer can setup their own domain, add dns
records, and
freely pass through our system just isn't going to fly.
I agree with this, but disagree with your conclusion.
The spamassassin developers (of which I used to be one, may
go back some
day) got rid of all "white" rules in SpamAssassin a while
ago, because
spammers (ab)use them to get through.
So I conclude that for our servers any MARID system *cannot* be a
whitelisting system, because they are just far too open for abuse.
MARID is an authentication system (title mistake aside).
Access Control = Authenctication + Authorization.
The mistake that was made in the spamassasin case was to use
authorization without any authentication to anchor it to a particular
identity.
It is just as big a mistake to blindly whitelist domains that have
SPF records.
Accreditation is out of scope here, but MARID is a component of a
spam solution not a complete solution in itself.
Today MARID + Spam filter = improved spam situation
Future MARID + Accreditation = The end of spam
Phill