ietf-mxcomp
[Top] [All Lists]

Re: Interaction with anti-spam systems (was Re: A spammer subscribed to this list ? )

2004-08-04 12:44:35

In <20040804185931(_dot_)60B3617109(_at_)mail(_dot_)nitros9(_dot_)org> "Alan 
DeKok" <aland(_at_)ox(_dot_)org> writes:

"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> wrote:
There are mechanisms that people could in theory use to obtain a
false assurance that an email is authentic.

  To change the topic slightly, while the use of MARID may ensure that
the email is authentic, that information isn't very useful.  We
already know that spammers think their email is authentic.  What *is*
useful is using MARID to find email that *isn't* authentic.

Positive authentication is useful for whitelists.  


  e.g. I've talked to people who say that 90% of the SPF records they
see are from spammers.

  Why?  Because people are using SPF in conjunction with anti-spam
systems like Spamassassin, and giving *positive* scores to email which
passes SPF.  The end result is that spammers can *gain* by publishing
SPF records, as their spam is more likely to get through.

I caught the very end of the ASRG audio session yesterday and I heard
someone giving this claim.  I think this claim is completely bogus.

First off, the current version of spamassassin doesn't check SPF
records, it is the yet-to-be-released version 3.0 that will do it.  

Secondly, see the following quote:

  If, instead, Spamassassin (and similar systems) were to give *zero*
additional score for a sender which passes SPF, then spammers would
have nothing to gain by publishing those records.  SPF could still be
used in conjunction with Spamassassin, to take messages which fail
SPF, and either reject them, or give them high negative scores.

That is *exactly* what Spamassassin does.  I have no idea where the
assumption that the Spamassassin folks are clueless came from.  They
understood these issues when they were participating in the SPF
mailing lists last year.


  To put it another way, if a site publishes SPF records, you still
have no idea whether or not you can trust email from that site.  But
you *can* decide that email which doesn't pass SPF for a site is
definitely untrustworthy.

Publishing SPF records alone does not make a domain trustworthy.  It
does, however, let you safely decide whether the domain is worth
whitelisting or blacklisting.


-wayne


<Prev in Thread] Current Thread [Next in Thread>