- From: James A. Donald <jamesd@echeque.com>
- Date: Sun, 18 Jun 2006 07:43:06 +1000
- To: practicalsecurity@hbarel.com, public-usable-authentication@w3.org
--
Chris Drake wrote:
> SpamAssassin is probably the most widespread filter
> deployed, and it uses SPF for sure (probably DK too I
> think). The two most effective commercial solutions
> (Brightmail and the other one - I forget it's name
> right now) both feed from SPF information as well - so
> even though you might *think* nobody's using SPF - in
> reality - almost everyone is using it, as part of
> their spam scoring systems.
Spam assassin (and probably the others) only nominally
uses DK and SPF. SpamAssassin fails to utilize
authenticity information to identify originating domains
as known good or known bad.
In SpamAssassin, DK signatures have the same effect on a
mail's score whether signed by gmail, or signed by a
known spammers (not much effect at all). Similarly for
compliance with SPF rules, though it is more complicated
for SPF rules.
Since it attaches no reputation to sites that prove
origin of their email, it gives legitimate sites no
reason to prove origin of their email - and it gives
spammer sites every reason to prove origin of their
email when they can
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
o4Pmf5hC+o4QP7PXzjMFQKwxMaWOwgdMqhVhxNB6
4kLS4/y5EeZ8ohSPvFeh7TSBytW0tzQ0v+zd3OUwn
Received on Saturday, 17 June 2006 21:43:11 UTC