Bill Stewart wrote:
At 03:15 PM 9/6/2004, Hadmut Danisch wrote:
On Mon, Sep 06, 2004 at 11:52:03AM -0600, R. A. Hettinga wrote:
E-mail security company MX Logic Inc. will report this week that 10
percent
of all spam includes such SPF records,
I have mentioned this problem more than a year ago in context of my RMX draft (SPF, CallerID and SenderID are based on RMX). Interestingly, nobody really cared about this major security problem. All RMX-derivatives block forged messages (more or less). But what happens if the attacker doesn't forge? That's a hard problem. And a problem known from the very beginning of the sender verification discussion.
It's not a hard problem, just a different problem.
Whitelisting your friends and aggressively filtering strangers is an obvious technique for reducing false positives without increasing false negatives, but it fails if spammers can forge identities of your friends. RMX-derivatives help this problem, and they help the joe-job problem.
If a spammer wants to claim that they're the genuine spammers-are-us.biz, well, let them.
I find it more annoying that there are spammers putting PGP headers in their messages, knowing that most people who use PGP assume PGP-signed mail is from somebody genuine and whitelist it.
Surely you should check that: a) The signature works b) Is someone in your list of good keys before whitelisting? -- ApacheCon! 13-17 November! http://www.apachecon.com/ http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff