In <429185CE(_dot_)7060300(_at_)de-korte(_dot_)org> Arjen de Korte
<spf+discuss(_at_)de-korte(_dot_)org> writes:
wayne schreef:
Yes, you have every right to do whatever you want with your machine,
but senders have ever right to do whatever they want with their SPF
records. If publishing SPF records that result in Neutral causes
their email to be more likely to be rejected, then I think a lot of
domain owners will simply stop publishing SPF records.
So likewise, domain owners should not publish a SPF record which may
result in a 'softfail' either?
The problem is treating Neutral as worse than None, or even Pass as
worse than None. Yes, many spammers publish SPF records to give
themselves a Pass value. That just means that those spammer domains
can be more accurately rejected. Treating SPF results the same
accross all domains is misleading at best.
I don't think we should try to interfere what people will do with any
SPF result, it's beyond our control. Any result from SPF can and will be
used, there is no way to stop it and people better know this beforehand.
Yes, I *do* think we should try and stop people from doing foolish
things. We need to make sure people understand that a Pass result
from SPF doesn't mean something isn't spam. We need to make sure that
people don't treat Neutral/Pass worse than None. We need to do this
because those kinds of actions are usually caused by a
misunderstanding of what SPF is good for.
By punishing domain owners for having SPF records that can return
Neutral, you may get a short term gain in spam filtering, but you are
hurting us all in the long term.
In that case, we might just as well scrap 'softfail' and 'neutral' from
the SPF specification. Results which must not be used by the recipient
are useless and basically a waste of effort. Sorry, but that doesn't cut
it for me.
Actually, I long argued that presenting both Neutral and None results
was a bad idea. I didn't succeed, and I think we are now paying the
price. As far as "softfail" goes, yeah, it might be an ok spam
indicator, but it like all SPF results, it will be much more accurate
when applied on a per-domain basis.
It would be insane to reject mail on a 'neutral' score alone. But in a
scoring system (like SA) the occasional additional points gathered
should not be a problem for legitimate mail. As long as it doesn't score
on additional spamminess rules, there is no problem at all. For real
spam messages, it might be just the additional weight to tip the balance.
And for real ham messages, it might also be just enough to cause a
reject.
First of all I don't think there will be that many systems that are
running SA directly on their inbound mailservers (due to expensive
nature of SA). Not many MTA's will allow for an easy integration so that
it is possible to run SA before the DATA phase is over (I know there are
Milters available for Sendmail, so technically it is possible). Many
MTA's will first accept the message and then run SA. In that case a
reject is no longer possible.
I run SA-exim, and I love it. I think it creates a very effective
greylisting system, since greylisting only happens to "spammy"
messages from new sources. Yeah, it is a little expensive, but so is
running SA afterwards.
Besides that, one rule scoring in SA will not very likely lead to
classifying a message as unwanted. I'm sure that the word VIAGRA in this
message will earn it some points, but I would be surprised if it the
message would be rejected somewhere.
Yeah, but again, one rule scoring in SA is unlikely to move the score
across the threshold, either spam->ham or ham->spam. It still all
adds up and creating a rule that gives incorrect results for many
domains is a problem. Going to a per-domain judgement on the SPF
result is going to be much more useful. Then you can tell if most
Neutral results from AOL are spammy, while at the same time, someone
who has just published an experimental SPF record won't be hurt.
-wayne