At 03:15 PM 9/6/2004, Hadmut Danisch wrote:
On Mon, Sep 06, 2004 at 11:52:03AM -0600, R. A. Hettinga wrote:
E-mail security company MX Logic Inc. will report this week that 10 percent of all spam includes such SPF records,
I have mentioned this problem more than a year ago in context of my RMX draft (SPF, CallerID and SenderID are based on RMX). Interestingly, nobody really cared about this major security problem. All RMX-derivatives block forged messages (more or less). But what happens if the attacker doesn't forge? That's a hard problem. And a problem known from the very beginning of the sender verification discussion.
It's not a hard problem, just a different problem. Whitelisting your friends and aggressively filtering strangers is an obvious technique for reducing false positives without increasing false negatives, but it fails if spammers can forge identities of your friends. RMX-derivatives help this problem, and they help the joe-job problem. If a spammer wants to claim that they're the genuine spammers-are-us.biz, well, let them. I find it more annoying that there are spammers putting PGP headers in their messages, knowing that most people who use PGP assume PGP-signed mail is from somebody genuine and whitelist it. ---- Bill Stewart bill.stewart@pobox.com