spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Re: Qurb SPF plug-in for Outlook and Outlook Express

2005-03-10 19:52:15
from [David MacQuigg] [Permanent Link] 
At 05:07 PM 3/10/2005 -0800, Linus Upson wrote:


We have exactly the same concerns you expressed, and tried to address
them. One of the reasons we chose to use the term "Not Verified" instead
of something stronger such as "Forged" was because we observed the false
positive rate for SPF to be significantly higher than 1 in 10,000. In
our experience, every user will see a false positive from time to time.
I wouldn't call these "false positives" as that term tends to imply that SPF is being used as a spam filter, and that could perpetuate the notion that it doesn't work. 


Hopefully we've hit the right balance between "Be suspicious of this
message," and "Don't be too surprised if a good email is marked Not
Verified." When users see "Not Verified" on a message from a friend the
warning tends to be easily ignored. However, when users see "Not
Verified" on a message asking for their credit card number they tend to
be much more cautious.
This will evolve over time also, and that seems like a good thing for SPF. It will encourage everyone to take SPF more seriously, and "Not Verified" will eventually start to mean "Be very suspicious". 

-- Dave

*************************************************************     *
* David MacQuigg, PhD              * email:  dmq'at'gci-net.com   *  *
* IC Design Engineer               * phone:  USA 520-721-4583  *  *  *
* Analog Design Methodologies                                  *  *  *
*                                  * 9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.             * Tucson, Arizona 85710        *
*************************************************************     *



Linus


-----Original Message-----
From: Frank Ellermann [mailto:nobody(_at_)xyzzy(_dot_)claranet(_dot_)de]
Sent: Wednesday, March 09, 2005 9:31 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Re: Qurb SPF plug-in for Outlook and Outlook
Express


Linus Upson wrote:

> Qurb will never throw mail away because of a FAIL

Please try hard to make sure your users understand that SPF is
not really designed for this usage.  For the one false positive
out of 10,000 FAILs rejected at the MX the sender would get a
good bounce and can try to resend his mail on another route.

If an end user was "trained" to delete 9,999 out of 10,000 spam
mails identified by a FAIl (your "not verified"), then he might
also delete the one false positive.

There's also a possible race condition if you check SPF behind
the point where it should be checked, but as you said that
could be considered as "poorly configured SPF record".  If you
explain this in a way that all your users reading manuals can
understand, that would be great.

                       Bye, Frank
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Re: Qurb SPF plug-in for Outlook and Outlook Express, Linus Upson
Next by Date:  Re: Need greeting-card site advice, Tony Finch
Previous by Thread:  RE: Re: Qurb SPF plug-in for Outlook and Outlook Express, Linus Upson
Next by Thread:  Need greeting-card site advice, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]