Jo Rhett wrote: > Benn, you are missing the point. AWL is working very well for our > needs.
I have never been fond of AWL because the information it relies upon, the mail headers, is very easy to forge. It depends too much upon trusting the sender. And in the case of spam that trust model is already a problem. I normally disable AWL entirely. I just don't feel it is benefiting enough to be worth the problems. It was an idea that made a good experiment but unfortunately IMNHO didn't work out very well in practice. If the mail headers could be trusted then the result would be completely different. Perhaps AWL would be very effective if it were only applied to headers when those headers could be trusted. Such as when trusted_networks, DKIM or other trust model exists. > What I am pointing out is that AWL should not be used for mail from > self to self, because this is an easy forgery. It is all very easy to forge. But self to self is very easy for the recipient to spot as a forgery. (Unless they have a short memory and are very gullible. :-) > AWL counts on the spammer not being able to forge someone you > correspond with normally. This is usually true, but forging your > own address is trivial. I disagree with the premise that it is hard to forge mail from someone you correspond with frequently. It is equally easy to forge. With signed headers, whitelist_from_{rcvd,spf,other} it may be possible to catch targeted forgeries but in general it isn't solved yet. Bob