Re: [exim] Anti Phishing Trick

Top Page
Delete this message
Reply to this message
Author: Marc Sherman
Date:  
To: exim-users
Subject: Re: [exim] Anti Phishing Trick
Marilyn Davis wrote:
>
> Yes. Another point, however, is that, for your bank, you might want
> to give (just) them your unforwarded email address, or an address
> that forwards from a system does rely on SPF, ... or you'll get phish
> unless it is caught via some other mechanism. It's something to
> suggest to customers who get phish forwarded to them.
>
> So, unless someone has something specific to and technically valid
> against these particular observations, SPF seems useful enough to not
> deserve the treatment it gets here.


I haven't analyzed your new proposal in detail yet, so I can't comment
specifically on it's merits. I just want to point out that you (and to
a lesser extent, Steve Lamb) are doing the same thing here that you did
when we had the long thread on C/R systems earlier this year; you're
innovating a new technique based partially on an old, discredited one,
and then using your new technique to argue the merits of the old one.

SPF, by definition, involves _rejection_ of _all_ mail that the DNS
records tell you to reject. This is the system which we are all
claiming is fundamentally broken. Not selective checking of SPF records
based on a complex phish-detection heuristic, and not using SPF records
solely as a data source for a bayesian filter which makes the final
rejection determination. Neither of those techniques are documented in
the proposed standard called SPF, and if they were, it might not be
considered the failure it currently is on this list.

It might be tempting to respond, "well, of course, when you look
literally at the SPF spec, it's broken, so let's call this non-broken
variation SPF instead." But semantics is important -- if we don't agree
on a shared vocabulary, we can't discuss anything effectively; we end up
with threads like the one last week, where Steve and Tony were calling
each other idiots because they weren't in fact talking about the same
thing. The SPF that Tony was talking about, the one described in the
spec that requires rejection of all messages which the SPF lookup tells
you to reject, is, in fact, quite broken. The variant that Steve calls
SPF, which feeds the result of the SPF lookup into a bayesian filter, is
an entirely different thing.

- Marc