On Tue, 14 Jan 2020 12:05:57 +0000 Nix wrote:
> I've come to the conclusion that TxRep is essentially unmaintained and > basically doesn't work unless you use SQL storage, and have migrated > back to the AWL, which still works fine. I hope I'm wrong. I think people should think about whether they actually need TxRep. To me it's an additional risk rather than a safety net. TxRep looks to be hacked-out from AWL, it's complex and lacks transparency. Most of its reported bugs are clearly visible, they involve long delays, runtime errors and debug messages. The chance are that these bugs are the tip of the iceberg. If it's also getting its computed score wrong, it will have to be pretty bad, pretty often, before anyone notices. Most of what it does doesn't seem well designed. I think in part this is because it reuses AWL's database code and so sees everything as a score-averaging problem. The chief flaw in AWL was that it used the first-public IP address from a forgeable received header. This potentially allows spammers to exploit a good reputation if they can match email addresses to IP address blocks. TxRep uses a trusted IP address which is mostly a step forward (except for forwarded email where it's very much worse). However, in practice this is rarely used and it uses DKIM or SPF reputations instead. Unfortunately TxRep appears to mishandle SPF and treats the header "From" as being authenticated by a pass regardless of alignment with the envelope sender. This can allow spam to abuse good reputations without the spammer even trying.
