I think whitelisting E-mail based on an SPF PASS probably isn't a wise idea, but I'm sure that spammers that do use SPF will be much easier to catch (they are providing a list of IPs that they may be spamming from <G>).
If I was a spammer, I would use this to my advantage. These guys collect 2,000 IP's at a time, and move around their blocks in order to avoid being perma-listed in the RBL's already, and turning on and off some SPF listings can't be that much more difficult. Besides that, even legit servers pass spam. Forwarding is problematic for this test, and then there's the fact that very small-time spammers will use their ISP to send out their garbage. The very small-time spammers are the most likely to get through my server, but thankfully the volume is low.
If SPF becomes popular, crediting points for passing the test will become a big no-no. Maybe this isn't something that you will want to support long-term?
Normally, it uses the return address of the E-mail (MAILFROM, from the X-Declude-Sender: header). However, if there is a NULL <> return address, or the address isn't valid ("postmaster", for example), then the domain in the HELO/EHLO will be used.
I'm not sure if this is in the RFC, but it would be a lot more accurate if you could compare the HELO to the SPF data. Some scripts to also falsify the HELO, but no where near the number of forged domains in MAILFROM.
Maybe a separate test possibility? Or even a replacement?
I do like this whole idea a lot better than Web-O-Trust though. My only concern about the viability of this test is how responsible administrators will be in covering their scripts as well as their mail server. I suspect that human nature will show its face and mitigate the usefulness to some extent. The fact that this appears hard to understand at first glance (to me at least) tells me that it's likely to be screwed up.
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
