On Wed, Oct 16, 2024 at 11:32 AM Slavko via mailop <mailop@mailop.org> wrote:
> Dňa 16. októbra 2024 18:13:45 UTC používateľ Brandon Long via mailop < > mailop@mailop.org> napísal: > > >The general theory is that a replay involves mail for a DKIM domain > >coming from different sources/hops than it normally does. Having spf/dkim > >both align > >is usually a good indication that a message is not a replay, so that can > be > >used to > >protect the majority "good" traffic and have stronger rules against > traffic > >which doesn't > >match. > > Yes, but having failed/not aligned SPF and success DKIM will be true for > eg. all indirect flows, icluding google workspace's issue diskussed before. > Or i miss something? > Well, two things, one, the vast majority of flows are direct, so allowlisting them can remove 90-99% of traffic from the replay spam rules. Second, the majority of indirect flows also tend to be consistent. This is one of the things that ARC could help with, establishing known/consistent flows and the reputation of them. One could also establish a reputation on a spfdomain:dkimdomain pair, or even looking at regular volume for such pairs and then see that the volume of a pair is inconsistent with historical usage... or previously unknown. Throttling incoming traffic based on historical usage can be effective as your learning system catches up or propagates in the general case. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
