spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Fwd: I am not spam! OK, so i am not much better. :(

2006-06-11 09:53:31
from [Scott Kitterman] [Permanent Link] 
On Sunday 11 June 2006 11:23, paddy wrote:


Scott, you go on to talk about cross-user forgery.  I think this is
an important issue, but I think SPF is very valuable even without
such prevention. Yes, it makes sense to consider such issues in the
context of whitelisting, but I don't think as black and white as
you put it: there are other issues besides cross-user forgery,
such as malware, that mean you still have to be carefull with
whitelistsing.



I don't believe that cross-user forgery is a big concern today unless one has 
a domain that is one that spammers/phishers would want to specifically target 
and most of those are big domains (e.g. ebay) that run dedicated servers 
anyway.

I do think that there is increasing interest in putting e-mail reputation on a 
name vice IP address basis.  As this develops, cross-user forgery will become 
increasingly important.  That said, I think it makes sense to consider it now 
in SPF record development as for most people, SPF is a set it and forget it 
exercise unless they change providers.

Personally, I've worried about this since I first got involved in SPF because 
as an independent consultant who is VERY dependent on e-mail for customer 
communication, the last way I want to find out about some new RHSBL is when 
my e-mail can't go through.

Agree one needs to be careful about whitelisting.  My receiver policy on that 
is to whitelist against spam filtering, but not virus checking.

In the long run I think that reputation will be based on a combination of 
sending domain (e-mail address - envelope and/or body) and mail server (HELO 
name) reputation.  E.g. the reputation of both this mail server and this 
domain is really good, so I'll skip the CPU cycles needed for ___ filtering 
or the reputation of this domain is really good and they've authorized this 
server, so even though the reputation of this server is REALLY bad, I'll 
accept the message and scrutinize it closely before deciding how to deliver 
it.

It pays us to be thinking about how SPF fits into that kind of ecosystem now.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Fwd: I am not spam! OK, so i am not much better. :(, paddy
Next by Date:  [spf-discuss] When receiving mail servers undermine the purpose of SPF - a domain owners perspective, Claire Campbell
Previous by Thread:  Re: [spf-discuss] Fwd: I am not spam! OK, so i am not much better. :(, paddy
Next by Thread:  Re: [spf-discuss] Fwd: I am not spam! OK, so i am not much better. :(, paddy
Indexes:  [Date] [Thread] [Top] [All Lists]