Wayne wrote:
In <20040804185931(_dot_)60B3617109(_at_)mail(_dot_)nitros9(_dot_)org> "Alan
DeKok"
<aland(_at_)ox(_dot_)org> writes:
Positive authentication is useful for whitelists.
...
I caught the very end of the ASRG audio session yesterday and I heard
someone giving this claim. I think this claim is completely bogus.
First off, the current version of spamassassin doesn't check SPF
records, it is the yet-to-be-released version 3.0 that will do it.
Secondly, see the following quote:
If, instead, Spamassassin (and similar systems) were to give *zero*
additional score for a sender which passes SPF, then spammers would
have nothing to gain by publishing those records. SPF could still be
used in conjunction with Spamassassin, to take messages which fail
SPF, and either reject them, or give them high negative scores.
That is *exactly* what Spamassassin does. I have no idea where the
assumption that the Spamassassin folks are clueless came from. They
understood these issues when they were participating in the SPF
mailing lists last year.
...
Publishing SPF records alone does not make a domain trustworthy. It
does, however, let you safely decide whether the domain is worth
whitelisting or blacklisting.
Do not expect Sender-ID to ever allow blacklisting. Sender-ID is too
complex and relies upon the security of mail channel which does not exist.
The Sender-ID records contain a series of possible domains, and the PRA
allows for the evaluation of less recent headers. Where the message had
emerged remains unknown. If to blacklist a domain, it must be verified
where the mail was sent. The point behind this type of negative listing
is to improve policies related to access. As many domains may share an
MTA server, the only policy enforcement that makes sense is the ISP
forcing use of this MTA. Any other downstream domain could claim to be
one of these Sender-ID identities. Sender-ID makes assumptions that are
not valid, if this is used to blacklist.
-Doug