Jo Rhett wrote:
> Benn, you are missing the point. AWL is working very well for our
> needs.
I have never been fond of AWL because the information it relies upon,
the mail headers, is very easy to forge. It depends too much upon
trusting the sender. And in the case of spam that trust model is
already a problem. I normally disable AWL entirely. I just don't
feel it is benefiting enough to be worth the problems. It was an idea
that made a good experiment but unfortunately IMNHO didn't work out
very well in practice.
If the mail headers could be trusted then the result would be
completely different. Perhaps AWL would be very effective if it were
only applied to headers when those headers could be trusted. Such as
when trusted_networks, DKIM or other trust model exists.
> What I am pointing out is that AWL should not be used for mail from
> self to self, because this is an easy forgery.
It is all very easy to forge. But self to self is very easy for the
recipient to spot as a forgery. (Unless they have a short memory and
are very gullible. :-)
> AWL counts on the spammer not being able to forge someone you
> correspond with normally. This is usually true, but forging your
> own address is trivial.
I disagree with the premise that it is hard to forge mail from someone
you correspond with frequently. It is equally easy to forge. With
signed headers, whitelist_from_{rcvd,spf,other} it may be possible to
catch targeted forgeries but in general it isn't solved yet.
Bob
