"Stuart D. Gathman" suggested
I am testing a new policy for Python Milter.
<snip>
I know some of you are going to hate this idea, but I wan't to hear the
criticism, and perhaps change things.
Here is a sample DSN, this one for what was obviously (to a human) a forgery:
To: dh(_dot_)hurley_59(_at_)osuuspankki(_dot_)fi
From: postmaster(_at_)mail(_dot_)bmsi(_dot_)com
Subject: Critical mail server configuration error
Auto-Submitted: auto-generated (configuration error)
MIME-Version: 1.0
Content-Type: text/plain
Someone at IP address 211.108.109.85 sent an email to
greg(_at_)bmsi(_dot_)com, claiming to be sent from
dh(_dot_)hurley_59(_at_)osuuspankki(_dot_)fi(_dot_)
The subject was:
Subject: Online Drugs - save up to 80%
If that wasn't you, then your domain, osuuspankki.fi,
was forged! This is a very serious problem, especially if
you are part of an institution such as a bank - since the
forger is probably trying to rob your customers. You need
to provide authentication for your SMTP (email) servers to
prevent criminals from forging your domain.
<snip>
Three suggestions about the wording, rather than the idea:
1) I think the clause "especially if ... since the forger is probably trying to
rob your customers" is unwise.
In the specific example you use, where the subject is "Online Drugs - save up to
80%", it's obvious that the message is not attempting to rob a bank, so your
response immediately looks automated and irrelevant. That perception then
diminishes the credibility of the rest of the (very good) advice.
I think it is very important to stay factual and credible in this kind of
communication.
2) I think the word 'forged' needs to be explained. Even within SPF circles
people have disagreed about the use of that word in this context. I would have
said something like "...used without your authority, by sombody attempting to
forge or steal your mail identity."
3) I would also not use exclamation marks in messages like this. That's too
close to spammer-style.
That said, the rest is (to me) excellent.
Chris Haynes