spf-discuss
[Top] [All Lists]

Re: Re: People keep misunderstanding what "Pass" and "Neutral" mean

2005-05-25 09:13:52
wayne schreef:

The problem is treating Neutral as worse than None, or even Pass as
worse than None.  Yes, many spammers publish SPF records to give
themselves a Pass value.  That just means that those spammer domains
can be more accurately rejected.  Treating SPF results the same
accross all domains is misleading at best.

Now we're getting somewhere. I fully agree that looking at a combination
of SPF result and domain name would be much more useful than the SPF
result alone (Radu Hociung explained in detail a while ago on this
list). Implementations for different MTA's are available too.

The reason to add the 'neutral' score to SA too, is that it doesn't make
sense to use 'pass', 'fail', 'softfail' and 'none', but to ignore
'neutral'. Either you use them all, or none at all. Most of these rules
are low scoring anyway. Notice that even a 'fail' will only award 0.875
point (with Bayesian filtering enabled, without it will score just
0.001). SA is being used widely now, so it makes sense to do use that
for a start.

[...]

Yeah, but again, one rule scoring in SA is unlikely to move the score
across the threshold, either spam->ham or ham->spam.

I don't think so. There is a fairly large gap between spam and ham in
SA (where the score is indecisive). The score on these rules will never
be so high that it is possible to push it straight from spam->ham (see
above). So it may push a message over the limit from unknown->spam. For
legitimate messages which do not score on other rules, a mistake will
not be a problem. However, for forged messages (which are likely to
score on other rules too) it may be just enough to tip the scale.

It still all adds up and creating a rule that gives incorrect results
for many domains is a problem.

It all depends on how many points you award. The are many rules in SA
that give wrong results (the DUL lists, when enabled for instance). Yet
the scores awarded to these rules will not be enough to classify a
message as spam alone. It's always better to have ten rules scoring just
half a point, then one rule scoring five. The same goes for SPF results
separated from the domain names. Just a fractional amount of points is
justified, since it *does* indicate that a message is more likely to be
forged.

Arjen