1 |
On Wed, Nov 08, 2006 at 05:54:13PM +0000 or thereabouts, Ciaran McCreesh wrote: |
2 |
> We've identified one very widely used application that interprets SPF |
3 |
> records based upon how they're used by spammers rather than by how the |
4 |
> specification says they should be interpreted. In this case, SA is |
5 |
> entirely reasonable in its behaviour -- SPF makes the classic incorrect |
6 |
> assumption that spammers won't abuse the system. |
7 |
|
8 |
Ciaran, you obviously do not understand the issue, nor do you know what |
9 |
you're talking about. |
10 |
|
11 |
The issue is that SpamAssassin assigns a score of ~1 to any email that |
12 |
FAILS an SPF check for a domain that has a ?all (neutral) rating. I want |
13 |
to stress that it has to FAIL. If it doesn't fail, I believe SA's default |
14 |
behavior is to assign a *negative* score of 0.1. |
15 |
|
16 |
So, in other words, spammers aren't abusing anything related to SPF. |
17 |
They're sending mail using forged return-paths and SPF is highlighting |
18 |
that. Which is exactly what SPF is designed to do. |
19 |
|
20 |
The impact is that some users happen to send mail in a way that ends up |
21 |
looking very similar to a spammer sending an email with a forged |
22 |
return-path. And, because of the way SA has chosen to interpret this, |
23 |
those valid, non-spam emails get assigned a positive spam value, even when |
24 |
the mail administrator has asked them not to. |
25 |
|
26 |
--kurt |