spf-discuss
[Top] [All Lists]

Re: Unified SPF policy daemon and constructing a personal whitelist

2004-09-09 23:03:22

| >  First, all the known identities are tested in search of a
| >  positive result.  (A positive result requires that both
| >  authentication and policy tests pass.)  If the policy test
| >  passes, that means "the purported sender is known not to be
| >  a spammer domain";
| 
| 
| Which will include all domains the spammers uses only once per spam run, 
unless your policy tests sources are updated in real-time and have large 
enough sample to detect re-use of domain within spam run.
| 
| 


No, what you said would be "the purported sender is not
known to be a spammer domain".

What I said was "the purported sender is known not to be a
spammer domain."


My point was the semantic difference is useless for anti-spam unless you know 
that all "not known" implies a spammer domain.  I agree that per-domain 
anti-forgery can help against spoofing which can enable *SOME* domains to build 
good reputations (since you eliminate the spam spoofing of those domains), but 
it does not mean that domains without reputations are spammers.

Can you assume that "not known" reputation is a higher probability of being a 
spammer without increasing false postives?  Maybe.  Perhaps it depends on your 
overall anti-spam algorithm.

However, not all ISPs entirely stop spam coming from their own domains, even 
with per-domain anti-forgery, thus either they can not build good reputations 
or if they are allowed to build good reputations then your PASS algorithm is 
going to generate false negatives (be a new hole for spammers to exploit).

Again I reiterate that per-domain anti-forgery is good for stopping some e-mail 
forgery (especially some important cases for corporations), but I doubt it will 
do much to slow spam, perhaps just cause spammers to declare SPF records and 
change domains more frequently or focus more on zombies sending over domains 
with good reputations.