RW wrote: > On Wed, 29 Apr 2009 20:49:29 +0200 > mouss <mo...@ml.netoyen.net> wrote: > > > >> on the other hand, a spammer can forge Received headers. and this is a >> serious problem. Using "untrusted" received headers is broken. >> > > The point of AWL is to tweak ham scores towards the mean to avoid > outlying high-scores causing FPs. The AWL score arithmetic doesn't > involve BAYES scores or whitelisting scores, so a spammer that > spoofs an existing AWL entry isn't going to pickup all that much > advantage. Most spam either wouldn't be protected by spoofing an > entry, or scores low-enough without it. And spammers don't know > much about your AWL database in the first place. > > If a spammer wants to exploit AWL the easiest way is to send some > low-scoring dummy spams ahead of the real one - this doesn't require > forging headers. > Yes, the existing algorithm may fix gmail, but it also breaks road warriors.
The AWL could be re-designed to use the trust boundary, AND work correctly for gmail. See some of my discussion of this topic in bug 6015, Particularly point numbers 6 and 7, which would fix gmail problems. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6105
