[Asrg] SPF apologies

[Ian Eiloart]

--On 27 January 2009 17:34:41 -0600 Gordon Peterson <gep2 at terabites.com> 
wrote:

>  > The reason that SPF is here to stay is that it is good enough
> authentication for most of the mail that most receivers and senders care
> the most about.
>
> With all due respect, that's kind of like saying that you've developed an
> airplane which will get the passengers there for 95 (or even 99) flights
> out of a hundred...!
>
> The fact that SPF screws up on so many ENTIRELY ANTICIPATED AND
> LEGIITIMATE cases, IMHO, makes it not viable, even though it works for
> SOME mails, MOST of the time.
>
> Personally, I *strongly* believe that the best approach requires a mix of
> techniques, including (again) a combination of:
>
>     1) fine-grained content criteria based upon the sender/recipient
> duple;
>
>     2) a suitably restrictive default policy to apply to senders
> previously unknown (or untrusted) to the indicated intended recipient;
>
>     3) following THOSE techniques, which by default will block virtually
> all worms/viruses and other evasions, then use SpamAssassin or similar to
> analyze the actual content of the message (which, after
> scripting/HTML/attachments/ActiveX and so forth are out of the equation)
> can probably do a pretty good job.
>
>     4) additional optional content tests for familiar senders (familiar
> mastheads, sig files, or other familiar-looking authenticating content
> that recipient expects in mail from that sender).
>
> If implemented intelligently, I believe this will provide the MOST
> safety, the FEWEST false positives, and give the recipient (the one who
> counts the most) the best feeling of control over their Inbox.

 With all due respect, that's kind of like saying that you've developed an 
airplane which will get the passengers there for 95 (or even 99) flights 
out of a hundred...! Only this time, the airplane was designed by Heath 
Robinson or Rube Goldberg.



-- 
Ian Eiloart
IT Services, University of Sussex
x3148