On Wed, Nov 08, 2006 at 05:54:13PM +0000 or thereabouts, Ciaran McCreesh wrote: > We've identified one very widely used application that interprets SPF > records based upon how they're used by spammers rather than by how the > specification says they should be interpreted. In this case, SA is > entirely reasonable in its behaviour -- SPF makes the classic incorrect > assumption that spammers won't abuse the system.
Ciaran, you obviously do not understand the issue, nor do you know what you're talking about. The issue is that SpamAssassin assigns a score of ~1 to any email that FAILS an SPF check for a domain that has a ?all (neutral) rating. I want to stress that it has to FAIL. If it doesn't fail, I believe SA's default behavior is to assign a *negative* score of 0.1. So, in other words, spammers aren't abusing anything related to SPF. They're sending mail using forged return-paths and SPF is highlighting that. Which is exactly what SPF is designed to do. The impact is that some users happen to send mail in a way that ends up looking very similar to a spammer sending an email with a forged return-path. And, because of the way SA has chosen to interpret this, those valid, non-spam emails get assigned a positive spam value, even when the mail administrator has asked them not to. --kurt
pgp5U9lcV3wss.pgp
Description: PGP signature
