On Thu, 24 Jul 2008 16:32:13, Scott Kitterman wrote
You appear to have missed the next step where spammers scrape
Arthur's list
mail address from the mailing list archives and use it as the Mail
From
address in spam they send to him.
That won't work because Arthur can't send any messages to himself
unless he puts his own domain or email on the whitelist. Command mails
from/to yourself are DISCARDED unless they are sent with SASL
authentication.
What you could do on the other hand is use the list's domain as a
forged sender. However, at this stage no spam I get is doing this
which is why I ignored this case for 0.1.0. (Besides, I don't think of
Postwhite as a magic stick, more another brick in the wall. For me, it
cuts SPAMs down from 10 per day to 1 per week at this point.)
DKIM can't be added to a policy server by design. SPF on the other
hand is doable. And it should do the trick because Postwhite only
makes sense if you subscribe to a digest that comes from the list
owner and not from the original sender. (Postwhite by design is
worthless if you subscribe to a mailinglist's "individual mails"
instead of a digest.)
In addition, the client_name or reverse_client_name could be recorded
along with the whitelist entry to kick forged mails sent via another
MTA. The only flipside to this is that should the list owner for
whatever reason change the MTA, the whitelist would no longer deliver.
The same, however, is true if the list changes its domain. A weekly
automatic status message which lists these cases could at least alert
the user that he might have missed someting. Good thing about mailing
lists - they all have archives.
Thanks for your thoughts, more, please :-)
PS:
I'll be offline till Tuesday.
