W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

Re: Why SPF and DK are not being used

From: James A. Donald <jamesd@echeque.com>
Date: Sun, 18 Jun 2006 07:43:06 +1000
Message-ID: <4494776A.1050509@echeque.com>
To: practicalsecurity@hbarel.com, public-usable-authentication@w3.org

Chris Drake wrote:
 > SpamAssassin is probably the most widespread filter
 > deployed, and it uses SPF for sure (probably DK too I
 > think).  The two most effective commercial solutions
 > (Brightmail and the other one - I forget it's name
 > right now) both feed from SPF information as well - so
 > even though you might *think* nobody's using SPF - in
 > reality - almost everyone is using it, as part of
 > their spam scoring systems.

Spam assassin (and probably the others) only nominally
uses DK and SPF.  SpamAssassin fails to utilize
authenticity information to identify originating domains
as known good or known bad.

In SpamAssassin, DK signatures have the same effect on a
mail's score whether signed by gmail, or signed by a
known spammers (not much effect at all).  Similarly for
compliance with SPF rules, though it is more complicated
for SPF rules.

Since it attaches no reputation to sites that prove
origin of their email, it gives legitimate sites no
reason to prove origin of their email - and it gives
spammer sites every reason to prove origin of their
email when they can

          James A. Donald
Received on Saturday, 17 June 2006 21:43:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:46:08 UTC