Re: [spf-discuss] SPF, DKIM, and NIH

--On 14 October 2009 15:08:15 -0700 David MacQuigg 
<macquigg(_at_)ece(_dot_)arizona(_dot_)edu> wrote:
> OK, I think I understand now what you mean by "sender".  Sender
> (individual author) addresses are worthless to identify bad senders.
> See above.
That's simply not my experience. I've seen spear phishing attacks from 
gmail accounts that are listed on blacklists. The blacklisting of sender 
addresses does have value to me.
But, there's a bigger picture here. I'd like to rate-limit new senders that 
haven't earned a good reputation. I can do that for individual gmail users, 
but can't apply the same rate limit to all gmail users.
Therefore, I need a reputation system that allows me to key on sender 
addresses. However, to do that, I need some sort of assurance that the 
author address hasn't been spoofed.
Why rate limit? Well, for example, I see about 1% of users responding to 
spear-phishing with passwords, and (amusingly, but annoyingly) about 1% 
responding with abuse to the phisher, and about 1% reporting the abuse to 
me. So, an effective phishing attack requires to hit a few hundred people 
at a time. I'd be quite happy with freezing mail in my mail queue in these 
circumstances, for new bulk senders from large ESPs, until I can approve it.


--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com