Re: Opening Debate on SPF vs. SenderKeys
2004-08-20 15:07:16
On Sat, 21 Aug 2004 05:13:08 +0800, AccuSpam <support(_at_)accuspam(_dot_)com>
wrote:
I would give SenderKeys an overall thumbs down. MUA-based solutions
don't
gain traction.
That we can debate. POP gained traction. Without MUA traction, how
will you ever get SMTP AUTH? Without SMTP AUTH, how will you get "-all"
for SPF domains? Without "-all", how can you detect forgery with 100%
certainty with SPF?
You can implement "-all" for SPF domains, without using SMTP AUTH, when
all users of the domain send email from a webmail interface, or from an
"internal" IP address.
Domains which cannot implement SMTP AUTH or do not meet these criteria,
will not use "-all" and will thus forged emails from their domain will not
be stopped by SPF.
Blacklist-based systems don't stop SPAM.
Here you are evaluating SenderKeys in terms of the authority's algorithm
for when to auto-respond. What you assume is that for example, AccuSpam
is blacklisting individual addressses, which is not the case. AccuSpam
is counting the disapproval vs. approval ratio for a domain, then if it
is a spammer domain (one that sends > 99% spam from a probablistic
metric ... not pure ratio), then it blacklists the entire spammer domain
(e.g. gooddeals.com, a001.com, etc). The statistics theory prevents
blacklisting of domains that send some non-spam.
So the blacklisting of AccuSpam does stop spam. In fact, 91% as of last
measurement on average for all our users!
So, to be clear: AccuSpam is the "authority", whereas SenderKeys is this
mechanism for authenticating a message.
Given a message with a missing SenderKeys signature, SenderKeys will pass
the message to the "authority" (AccuSpam or spamassassin, perhaps) and the
authority will use whatever additional heuristics it chooses. If the
message has an invalid or incorrect signature, SenderKeys will presumably
block the message (bounce, drop, whatever the user wants at that point).
If the message fails the tests, it will be returned to the sender with the
recommendation that they upgrade to SenderKeys because someone is using
their address to send spam messages, or their messages look too much like
spam.
In this mode, SenderKeys acts as a 'whitelist' mechanism for the
authority, allowing messages through filters.
And, the authority chooses whether or not to
And
whitelist-based systems block the most important mail - "Your order has
been shipped" and "Please confirm your email address".
I already said that AccuSpam does not do this. AccuSpam is radical new
invention called "CNR" - Challenge Non Response.
You are getting me (and others) confused about the difference between
AccuSpam and SenderKeys.
Perhaps it would be beneficial to call this SenderKeys+AccuSpam ?
I am very happy to elaborate if you can please appeal to the list to
reinstate me. I have turned off my auto-respondeer.
Well I'll include your plea in my reply and Cc it to the list, but I'm not
exactly too sympathetic given that you have been rude and adversarial
during your time on the list, whereas I prefer a more positive tone.
CU
Dobes
|
|