On Mon, 4 Dec 2006, Meng Weng Wong wrote:
On Dec 4, 2006, at 2:59 PM, Stuart D. Gathman wrote:
My system depends on extensive whitelists and blacklists. I can't
use the domain whitelist for a *message* without SPF PASS (because
the message might be forged), and I can't blacklist a *domain*
without SPF PASS
(because the message might be forged and not actually from that
domain).
That's technically true, but when do legitimate senders forge
blacklisted domains?
The problem is that a spam from example.com with SPF neutral does not
let me blacklist example.com with confidence. Example.com might be
a joe job victim that has yet to publish an SPF record. You could argue
that I should "blacklist 'em anyway - that'll teach 'em not to publish SPF",
but my clients need to communicate with backward primitives who don't
publish SPF records - or have stupid policies.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735