spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-16 17:27:45
from [David MacQuigg] [Permanent Link] 
Ian Eiloart wrote:
--On 16 October 2009 08:08:22 -0700 David MacQuigg <macquigg(_at_)ece(_dot_)arizona(_dot_)edu> wrote: 


Ian Eiloart wrote:


--On 14 October 2009 15:08:15 -0700 David MacQuigg
<macquigg(_at_)ece(_dot_)arizona(_dot_)edu> wrote:


OK, I think I understand now what you mean by "sender".  Sender
(individual author) addresses are worthless to identify bad senders.
See above.


That's simply not my experience. I've seen spear phishing attacks from
gmail accounts that are listed on blacklists. The blacklisting of
sender addresses does have value to me.
I wasn't aware of any blacklists of individual sender addresses. I would 
like to give it a try.  Where can I find one?
<http://www.scamnailer.info/> has a script that will update spamassassin or clamav configurations with a list of about 14k addresses that have been used for scamming. I think the S/A rules generalises from those addresses a little.
I'm having a hard time believing this actually works. Of the spam hitting your receiver, what percent is rejected by finding a *bad* individual sender address on the scamnailer list?
It just doesn't make sense that a spammer with an unlimited supply of free unknown addresses would continue using a specific individual sender address that is known worldwide as "bad". Why not just switch to the next "unknown" name. Unknown is always better than definitely bad. 


But, there's a bigger picture here. I'd like to rate-limit new senders
that haven't earned a good reputation. I can do that for individual
gmail users, but can't apply the same rate limit to all gmail users.


I would rather not try to separate good from bad within Gmail.  That is
really Gmail's responsibility.  I just rate the entire mailflow from
Gmail to our receivers.  Whitelisting of individual Gmail authors can be
done by our individual recipients.
Absolutely, but you want to check the DKIM signature before applying the whitelist. Otherwise, every whitelist entry is an invitation to spam.
I've never seen it happen. A spammer would have to know both addresses exactly. If an individual recipient whitelists an individual sender, we pass it straight through, without SPF, DKIM, SpamAssassin, or anything else that might cause a false reject. 

-- Dave


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Next by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
Previous by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Next by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]