Marc Perkel wrote: > Since spammers can just as easily used SPF on their domains they can > whitelist themselves if you use SPF for whitelisting.
No, they don't! Here's an example. The follwoing is from a "whitelist" file used by our mail gateway: ---8<--- Verified_Sender [EMAIL PROTECTED] Verified_Sender [EMAIL PROTECTED]@]+\.apache\.org Verified_Sender [EMAIL PROTECTED] Verified_Sender [EMAIL PROTECTED] Verified_Sender [EMAIL PROTECTED] Verified_Sender [EMAIL PROTECTED] ---8<--- Mail from (envelope) senders matching those regular expressions that come from relays authorized by SPF are never checked with SpamAssassin. For example a mail from "[EMAIL PROTECTED]" will bypass SpamAssassin if the relay connecting to our gateway is authorized (by SPF) to send mail from the domain "regeringen.se". A mail from "[EMAIL PROTECTED]" will *not* bypass SpamAssassin even if the relay is authorized by SPF. Is such a simple whitelist method really so hard to understand? (Now, I'm doing thise whitelist outside of SpamAssassin (in a MIMEDefang filter, that also verifies DKIM/DomainKeys), but the SPF plugin for SpamAssassin can be used in a similar way.) > I'm still waiting for anyone to describe any used for SPF that doesn't > create false positives on normal email forwarding or allow spammers to > whitelist themselves by using correct SPF to send spams. You've been given several such examples. and I've added one above. A whitelist such as the above will *not* allow spammers to whitelist themselves. *I* decide wich addresses/domains will be in our whitelist. A whitelist such as the above will *not* create false positives on normal email forwarding since it never ever creates any positives at all. It is only a whitelist and nothing else. > The basic concept is flawed because it relies on the whole world > adopting SRS to be at least not broken Only if people use SPF to block mails. (The above comment should make it obvious that I don't agree with all SPF proponents and more than I agree with all SPF opponents.) Regards /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
