On Sunday 11 June 2006 11:23, paddy wrote:
Scott, you go on to talk about cross-user forgery. I think this is
an important issue, but I think SPF is very valuable even without
such prevention. Yes, it makes sense to consider such issues in the
context of whitelisting, but I don't think as black and white as
you put it: there are other issues besides cross-user forgery,
such as malware, that mean you still have to be carefull with
whitelistsing.
I don't believe that cross-user forgery is a big concern today unless one has
a domain that is one that spammers/phishers would want to specifically target
and most of those are big domains (e.g. ebay) that run dedicated servers
anyway.
I do think that there is increasing interest in putting e-mail reputation on a
name vice IP address basis. As this develops, cross-user forgery will become
increasingly important. That said, I think it makes sense to consider it now
in SPF record development as for most people, SPF is a set it and forget it
exercise unless they change providers.
Personally, I've worried about this since I first got involved in SPF because
as an independent consultant who is VERY dependent on e-mail for customer
communication, the last way I want to find out about some new RHSBL is when
my e-mail can't go through.
Agree one needs to be careful about whitelisting. My receiver policy on that
is to whitelist against spam filtering, but not virus checking.
In the long run I think that reputation will be based on a combination of
sending domain (e-mail address - envelope and/or body) and mail server (HELO
name) reputation. E.g. the reputation of both this mail server and this
domain is really good, so I'll skip the CPU cycles needed for ___ filtering
or the reputation of this domain is really good and they've authorized this
server, so even though the reputation of this server is REALLY bad, I'll
accept the message and scrutinize it closely before deciding how to deliver
it.
It pays us to be thinking about how SPF fits into that kind of ecosystem now.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com