On Sun, 2 Jan 2005, David Woodhouse wrote:
>
> SPF can't definitively state that a mail is faked. What it _can_ do is
> tell you that a mail is definitely originating from an authorised
> sender.
It's relatively easy (circumstances allowing) for a forged message to get
a positive SPF result: if you're a customer of the same ISP as the subject
of the forgery you can send the message via the ISP's smarthosts and get
a positive SPF result.
It's even easier to force an unknown SPF result even if the subject domain
has -all in their SPF record: just pick a hostname in their domain that
has an A record but no SPF record, and use that in the return path.
SPF might be a useful ingredient in a scoring system like SpamAssassin,
but it's hopeless by itself. SpamAssassin's scores for SPF checks are very
small, because SPF doesn't trigger very frequently and because its false
positive rate is worse than a good DNS blacklist.
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
