On Tue, 19 Jun 2012 18:02:28 -0400 Jeff Mincy wrote: > From: John Hardin <jhar...@impsec.org> > Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT) > > On Tue, 19 Jun 2012, Benny Pedersen wrote: > > > Den 2012-06-19 22:39, Kevin A. McGrail skrev: > > > >> I think that's the concept behind the whitelist_from_spf > > > > but some use whitelist_from, its nothing new there :=) > > > > can user_in_whitelist be changed to not have -100 as default > > score, or is whitelist_from planned for removements ? > > It's needed for whan none of the other more-strict whitelist > options will work, so we can't get just rid of it. > > True. > > I'd suggest instead a lint warning if it is used, alerting the > admin that it's discouraged and that it has problems like this and is > very easy to spoof. > > How about creating a different score for whitelist_from that is > separate from whitelist_from_rcvd? For example, whitelist_from could > trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The > description of the test could include warnings about how easy > it is to spoof whitelist_from.
If used sensibly USER_IN_WHITELIST is probably the most reliable rule we have, for the overwhelming majority of addresses it's far more accurate than spf based whitelisting. It's not always right to treat users as idiots.
