ietf-mxcomp
[Top] [All Lists]

Interaction with anti-spam systems (was Re: A spammer subscribed to this list ? )

2004-08-04 11:51:41


"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> wrote:
There are mechanisms that people could in theory use to obtain a
false assurance that an email is authentic.

  To change the topic slightly, while the use of MARID may ensure that
the email is authentic, that information isn't very useful.  We
already know that spammers think their email is authentic.  What *is*
useful is using MARID to find email that *isn't* authentic.

  e.g. I've talked to people who say that 90% of the SPF records they
see are from spammers.

  Why?  Because people are using SPF in conjunction with anti-spam
systems like Spamassassin, and giving *positive* scores to email which
passes SPF.  The end result is that spammers can *gain* by publishing
SPF records, as their spam is more likely to get through.

  If, instead, Spamassassin (and similar systems) were to give *zero*
additional score for a sender which passes SPF, then spammers would
have nothing to gain by publishing those records.  SPF could still be
used in conjunction with Spamassassin, to take messages which fail
SPF, and either reject them, or give them high negative scores.

  The practice of having positive scores in spamassassin for SPF
records should be strongly discouraged.  It ensures that spammers can
gain from using SPF/MARID, and contributes to the spam problem.


  To put it another way, if a site publishes SPF records, you still
have no idea whether or not you can trust email from that site.  But
you *can* decide that email which doesn't pass SPF for a site is
definitely untrustworthy.

  Alan DeKok.


<Prev in Thread] Current Thread [Next in Thread>