> >There's no need to check SPF when you're going to reject the message
> >based on bad recipient addresses, bad HELO information, local blacklists,
> >or accept it based on local whitelists, etc.
>
> The SPF check has to be done first, or you will pass a message just
because
> it claims to be from aol.com. I think what you are suggesting might work
Not true. He said "if your going to REJECT the message based on ...".
He did not say anything about passing the message prior to SPF.
If my policy says to REJECT any message claiming to be from
"ownitmortgage.com" (one of ~1500 in my blacklist), I really could not care
less whether it was forged.
Good point. I just wonder if blacklists will be any good in the
future. Why would any spammer use a blacklisted domain name? My guess is
that these "known spamming domains" will be a very small fraction of the
total. Most will be "unknown" domains recently established, with no
reputation or accreditation. By the time they get a bad reputation, they
will be discarded by the spammers in favor of fresh "unknown" names.
The quick checks are worth doing, I just wouldn't count on them in the future.
-- Dave
************************************************************* *
* David MacQuigg, PhD * email: dmq'at'gci-net.com * *
* IC Design Engineer * phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* * 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. * Tucson, Arizona 85710 *
************************************************************* *