On 27 Apr 2004, at 14:51, Hallam-Baker, Phillip wrote:
Anything where a spammer can setup their own domain, add dns
records, and
freely pass through our system just isn't going to fly.
I agree with this, but disagree with your conclusion.
The spamassassin developers (of which I used to be one, may
go back some
day) got rid of all "white" rules in SpamAssassin a while
ago, because
spammers (ab)use them to get through.
So I conclude that for our servers any MARID system *cannot* be a
whitelisting system, because they are just far too open for abuse.
MARID is an authentication system (title mistake aside).
Access Control = Authenctication + Authorization.
Right. There's no authorization mechanism available yet for Caller-ID,
which is what I meant when I said I didn't see the value.
The mistake that was made in the spamassasin case was to use
authorization without any authentication to anchor it to a particular
identity.
I didn't mean the whitelist_from rules (which whitelisted based on the
From address alone) - I meant all of the negative scoring rules. It
became a meta rule if you're writing a heuristic spam filter: "never
have non-spam rules"
It is just as big a mistake to blindly whitelist domains that have
SPF records.
SPF is clearly designed with different aims in mind. It's a rejection
mechanism not an acceptance mechanism.
Accreditation is out of scope here, but MARID is a component of a
spam solution not a complete solution in itself.
Today MARID + Spam filter = improved spam situation
Future MARID + Accreditation = The end of spam
My question then, if the MARID you propose is a whitelisting mechanism,
is what is the difference between "Spam filter" and "MARID + Spam
filter"?
Harry talks about barriers to acceptance with SPF (breaking
forwarding), but if the *value* of accepting Caller-ID is effectively a
"short" (a gamble on a potential future gain), I can't help but feel
this is a larger barrier.
Matt.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________