spf-discuss
[Top] [All Lists]

Re: Re: HELO versus MAILFROM results

2005-05-05 23:05:02
Frank Ellermann wrote:
Your argument "the spammer could simply pick something else"
is also valid for the MAIL FROM.  In fact I hope that he picks
something else.  As always SPF is about FAIL, it only tries to
"harden" the FQDNs and addresses, because spam fighting based
only on IPs is not more good enough.

Not quite.

Picking "something else" for MAIL-FROM does not help a phisher.

Also, it does not help a spammer much. In order to maximize the chances
of delivery of the spam, he has to pick a MAIL-FROM address that is
mostly used legitimately (ie, has good reputation, ie, spam filters are
more likely to assign it a favourable non-spam score). Spam filters are
more likely to be suspicious of random domain names they see for the
first time, which of course lowers the chances of delivery.

That's why random(_at_)yahoo(_dot_)com is used so much for spam. A lot of sites
receive genuine email from yahoo.com users, so naturaly they give
yahoo.com mail a slightly better score than to other random addresses.
Same scenario with hotmail, but their SPF policy is probably starting to
eat into the spammer's successful delivery statistics.

So a spammer will try to use as real a MAIL-FROM domain as possible.

I have showed before in the closed-loop reputation establishing
algorithm based on SPF results that "none" results will eventually get a
very unfavourable spam score, so essentially they will spell "spam".
Most everyone then will avoid sending mail from domains which are not
SPF enabled. Including spammers. The chances of any mail from a non-SPF
domain will be slim to none, which is not what spammers are looking for.

With a "verified HELO" (= permitted IP) you can do some really
interesting stuff like your forwardmaster-plan or op=trusted.

My forwardmaster plan is not based on HELO, but on RCPT and on "the list".

Maybe this "op=trusted" may use HELO. Where is the "op=trusted" explained?

Radu.