Marc Perkel wrote:
> I'm still waiting for anyone to describe any used for SPF
> that doesn't create false positives on normal email forwarding
> or allow spammers to whitelist themselves by using correct SPF
> to send spams.
Marc, this is very, very simple, and all these points have been raised
in this thread, but not all at once together. This is my attempt to
bring the whole picture into four concise points.
1) SPF is all but useless at positively identifying Spam. We all know
this.
Corollary: Do not use SPF-Fail as a spam indicator.
2) SPF is also useless at detecting ham. An SPF-Pass means that a given
email really is coming from the domain it claims to come from, but that
is not an indication that it is "good" or wanted.
Corollary: Do not use SPF-Pass as a ham indicator.
3) Let's say you bank with Bank of MyBank BankCorp. MyBank.com
specifies an SPF record. You receive a message claiming to be from
mybank.com, and it passes SPF. You can be reasonably certain it is
legitimate.
Corollary: Do use SPF in combination with a whitelist to make
the whitelist more powerful.
4) You receive another message from mybank.com, and it fails SPF. This
could be a spam/scam/phish email. It could also have been forwarded to
you, either by your own forwarder, or by a friend who's forwarding you
news about them.
Corollary: Do not use SPF to blacklist messages. Messages
failing SPF are merely not whitelisted, and thus subject to normal
anti-spam efforts. A legitimate, forwarded mail is likely to pass the
spam tests. A spam/scam/phishing email is not.
THAT'S IT! That's all she wrote. End of discussion. It meets the
requirements you specified, and here's the benefit it offers in the
context of SpamAssassin (so as to keep at least a modicum of
on-topic-ness):
* whitelist_from: Dangerous, because anyone can forge From headers.
* whitelist_from_rcvd: Better, but requires you to make configuration
changes every time the sender adds or changes outgoing mail servers.
* whitelist_from_spf: Ding! We have a winner. It's a
whitelist_from_rcvd where the sender can automatically provide you with
updates to their list of outgoing mail servers.
What would be even better is to use SPF-Pass in combination with a
whitelist at the MTA level, so that whitelisted "From" addresses passing
SPF can skip SpamAssassin and other anti-spam checks entirely. This
reduces load on the mail server, and minimizes the chance of false
positives.
