| 1 |
On Wed, Nov 08, 2006 at 05:54:13PM +0000 or thereabouts, Ciaran McCreesh wrote: |
| 2 |
> We've identified one very widely used application that interprets SPF |
| 3 |
> records based upon how they're used by spammers rather than by how the |
| 4 |
> specification says they should be interpreted. In this case, SA is |
| 5 |
> entirely reasonable in its behaviour -- SPF makes the classic incorrect |
| 6 |
> assumption that spammers won't abuse the system. |
| 7 |
|
| 8 |
Ciaran, you obviously do not understand the issue, nor do you know what |
| 9 |
you're talking about. |
| 10 |
|
| 11 |
The issue is that SpamAssassin assigns a score of ~1 to any email that |
| 12 |
FAILS an SPF check for a domain that has a ?all (neutral) rating. I want |
| 13 |
to stress that it has to FAIL. If it doesn't fail, I believe SA's default |
| 14 |
behavior is to assign a *negative* score of 0.1. |
| 15 |
|
| 16 |
So, in other words, spammers aren't abusing anything related to SPF. |
| 17 |
They're sending mail using forged return-paths and SPF is highlighting |
| 18 |
that. Which is exactly what SPF is designed to do. |
| 19 |
|
| 20 |
The impact is that some users happen to send mail in a way that ends up |
| 21 |
looking very similar to a spammer sending an email with a forged |
| 22 |
return-path. And, because of the way SA has chosen to interpret this, |
| 23 |
those valid, non-spam emails get assigned a positive spam value, even when |
| 24 |
the mail administrator has asked them not to. |
| 25 |
|
| 26 |
--kurt |
Archives