SPF for forgery prevention (was Re: [linux-elitists] http get vs post...)

Gerald Oskoboiny gerald@impressive.net
Sun Oct 26 17:55:53 PST 2003


* Karsten M. Self <kmself@ix.netcom.com> [2003-10-26 04:39+0000]
:
> Suppose that domain example.com is represented in a large number of
> received emails, many of which are spoofed spam.  For a classifier, this
> would be associated with a relatively high spam predictive score.
> 
> Suppose that there are specific originating IPs which tend _not_ to
> originate spam, though the mail is from 'example.com'.  For a contextual
> filter which looks at both putative sender ('From: ') *and* the
> originating IP ('Received: from'), 'example.com' + 'good IP' will have a
> low (probably negative) spam score.  _Other_ combinations of example.com
> + 'arbitrary IP' will have high scores.  This information will be based
> on the experience and assessment of the local site itself, and isn't
> sensitive to the ability of example.com to keep its DNS SPF records up
> to date.

Sounds good; do you happen to know if something like that has
been deployed, in e.g. spamassassin?

I have been using a simple whitelist system based on From: lines
for a few years, and I'm quite happy with it but some time ago
realized I might be better off whitelisting relay IP addresses
than From: lines. (but haven't made time to implement that)

-- 
Gerald Oskoboiny <gerald@impressive.net>
http://impressive.net/people/gerald/



More information about the linux-elitists mailing list