spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Opening Debate on SPF vs. SenderKeys

2004-08-20 15:07:16
from [Dobes Vandermeer] [Permanent Link] 
On Sat, 21 Aug 2004 05:13:08 +0800, AccuSpam <support(_at_)accuspam(_dot_)com> 
wrote:
I would give SenderKeys an overall thumbs down. MUA-based solutions don't 
gain traction.
That we can debate. POP gained traction. Without MUA traction, how will you ever get SMTP AUTH? Without SMTP AUTH, how will you get "-all" for SPF domains? Without "-all", how can you detect forgery with 100% certainty with SPF?
You can implement "-all" for SPF domains, without using SMTP AUTH, when all users of the domain send email from a webmail interface, or from an "internal" IP address.
Domains which cannot implement SMTP AUTH or do not meet these criteria, will not use "-all" and will thus forged emails from their domain will not be stopped by SPF. 


Blacklist-based systems don't stop SPAM.
Here you are evaluating SenderKeys in terms of the authority's algorithm for when to auto-respond. What you assume is that for example, AccuSpam is blacklisting individual addressses, which is not the case. AccuSpam is counting the disapproval vs. approval ratio for a domain, then if it is a spammer domain (one that sends > 99% spam from a probablistic metric ... not pure ratio), then it blacklists the entire spammer domain (e.g. gooddeals.com, a001.com, etc). The statistics theory prevents blacklisting of domains that send some non-spam.
So the blacklisting of AccuSpam does stop spam. In fact, 91% as of last measurement on average for all our users!
So, to be clear: AccuSpam is the "authority", whereas SenderKeys is this mechanism for authenticating a message.
Given a message with a missing SenderKeys signature, SenderKeys will pass the message to the "authority" (AccuSpam or spamassassin, perhaps) and the authority will use whatever additional heuristics it chooses. If the message has an invalid or incorrect signature, SenderKeys will presumably block the message (bounce, drop, whatever the user wants at that point).
If the message fails the tests, it will be returned to the sender with the recommendation that they upgrade to SenderKeys because someone is using their address to send spam messages, or their messages look too much like spam.
In this mode, SenderKeys acts as a 'whitelist' mechanism for the authority, allowing messages through filters. 

And, the authority chooses whether or not to


And
whitelist-based systems block the most important mail - "Your order has
been shipped" and "Please confirm your email address".
I already said that AccuSpam does not do this. AccuSpam is radical new invention called "CNR" - Challenge Non Response.
You are getting me (and others) confused about the difference between AccuSpam and SenderKeys. 

Perhaps it would be beneficial to call this SenderKeys+AccuSpam ?
I am very happy to elaborate if you can please appeal to the list to reinstate me. I have turned off my auto-respondeer.
Well I'll include your plea in my reply and Cc it to the list, but I'm not exactly too sympathetic given that you have been rude and adversarial during your time on the list, whereas I prefer a more positive tone. 

CU
Dobes
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Opening Debate on SPF vs. SenderKeys, AccuSpam
Next by Date:  Re: Fw: Received your email: [(spf-discuss) Fw: Received your email: (Re: (spf-discuss) Ope...], John A. Martin
Previous by Thread:  Re: Opening Debate on SPF vs. SenderKeys, Dobes Vandermeer
Next by Thread:  Re: Opening Debate on SPF vs. SenderKeys, jpinkerton
Indexes:  [Date] [Thread] [Top] [All Lists]