Tuesday, June 29, 2004, 3:43:23 AM, Stuart wrote:
SDG> On Mon, 28 Jun 2004, Chris Drake wrote:
Meng: you need to tell people in your spec that "softfail" will cause
all baysian-equipped email clients (inc. all mozilla/thunderbird/etc
ones) to silently eradicate legitimate emails. In other words - state
in the strongest possible terms that softfail is a BAD IDEA, and that
the full "fail" is the only acceptable way for legitimate senders to
know that their email did not reach their recipient.
SDG> Those who cannot tolerate false positives should NOT be using bayesian
SDG> filtering at all. However, I agree that REJECTing rather than silently
SDG> trashing is the proper response in case of softfail. This is easy to do
SDG> if all filtering is done in the MTA. (I use a sendmail milter to
SDG> both check SPF and do bayesian filtering.)
SDG> When content filtering is done later, this is more difficult. So let
SDG> me ask you, in case of content filtering rejecting a message after SMTP
that is
SDG> SOFTFAIL for SPF, should it be bounced (potentially spamming the
SDG> domain in case of forgery) or trashed (potentially losing legit mail)?
My point was that SOFTFAIL should be avoided because it allows emails
to be deleted later without telling anyone. Forcing me to consider
what should happen if someone deliberately chooses not to take my
advice is not sensible, however, if any form of SOFTFAIL were to be
allowed, I would recommend that this information be witheld or
disguised from baysian filters so that such results can never hold any
processable information to them (in other words - a SOFTFAIL can NEVER
contribute to spam scoring). The *point* of SPF is to return email
accountability so that people *can* "bounce" things and have a
reasonable assurance that the person who gets the bounce is the
sender. Letting it be used to make the situation it's trying to solve
get worse is *really* wrong.
As for David Brodbeck's comment " Anyone who relies on email for
"life-and-death situations" should NOT be using client-side baysian
filtering (or any client-side filtering, for that matter.) If they
are, it's their own fault when they lose legitimate mail. Baysian
filtering generates false positives by design -- they're a necessary
part of the training process. "
... well - it speaks for itself. Send a bunch of flowers with "I told
you so, Love David." to their headstone. Not everyone knows what a
baysian (or other) filter is - and most likely not anyone in
life-and-death situations, who no doubt have more pressing things to
think about. We should not be committing people to the grave because
they won't do what we tell them (eg: "Don't use Netscape") - we
*should* be doing what we can so that we don't contribute to their
journey 6-foot-under instead.
Chris.