I can't see how what you described could
possibly scale to anything a large email provider would ever do, ...
This argument is going into the weeds. The question is whether the
information in Received headers is useful for mail system management
(which is not a synonym for spam filtering) and your apparent
assertion that it only matters what giant mail systems do is pretty
creepy.
Do you seriously think that Google has special-case header parsing to deal
with spam from Cornell students' infected computers? No, they just use
machine learning.
Unfortunately, due to NDA's I can't talk about Google's spam
filtering.
SPF allows me to discard all messages that claim to be from domain X but come
from IP addresses not listed for domain X,
Yeah, we know what SPF does, and the many and wonderful ways that it
doesn't quite do what it's supposed to. But since nobody has ever
said that we use Received headers for sender authorization, there's
still no point here.
And if the site _is_ trustworthy, then modulo a few small exceptions
like Cornell, it's not originating anything that can be reasonably
identified as spam, because if it could have been reasonably
identified as spam, it would never have been forwarded.
Aw, come on. I get plenty of spam from Gmail and Yahoo, all of which
is 100% SPF, DKIM, and DMARC compliant and has 100% real Received
headers. Unless you are extremely unusual, you do too. Crooks sign
up for public mail systems to send spam, and on mail systems of all
sizes they steal or guess AUTH credentials to spam through compromised
accounts, or compromise web servers and spam through buggy old
drupal and wordpress setups.
We don't use header chains for validation, we use it to figure out who
to blame, who to alert, and who to block.
I don't know who "we" is here. Is this really how Google, et al., operate?
I can't talk about Google, but I can tell you from direct experience
working around their DMARC damage that some other large mail systems
use Received headers as part of their spam filtering process, which is
not just checking sender authorization.
Some of us go to conferences like MAAWG where we spend a lot of time
talking to people who run all sorts of medium and large mail systems,
and other conferences where we talk about security problems and
responses to them with various combinations of cops and nerds. It's
OK that you're not as familiar with all this stuff, just as I am not
as familiar with a lot of the DNS and IPv6 stuff you do. But you
might consider the possibility that we actually do know something
about the areas in which we work.
R's,
John
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp