On May 8, 2014, at 8:03 PM, Murray S. Kucherawy via dmarc-discuss <[email protected]> wrote:
> On Thu, May 8, 2014 at 12:28 PM, J. Gomez <[email protected]> wrote: > > It seems to me that a particularly defensive receiver would run the > > heuristic/whitelist checks on all messages anyway. > > Why? It seems to me that a particularly defensive receiver would instantly > drop dead incoming email which fails a DMARC check and comes from a domain > with "p=reject;l=no", without subjecting it to any further processing > whatsoever. > > Because they're local and/or cheap (they don't exactly require an AI or ML > engine), and it's best for the final accept/reject/spam-folder decision to be > made with as much data as possible. > > Perhaps you're assuming that those checks are expensive? I would bet that > even for medium-sized operators, they are not; the heuristics amount to a > relatively small number of header field retrieve and analyze operations > (string comparisons, hash table lookups, etc.), and the whitelist check would > be a local database query with a Boolean result. The high cost would occur > for operators with very low compute power or network latency such that those > checks are costly, but that would also disqualify them from things like DNSBL > queries that are typically done on every message. > > For large operators that have tons of data, they can have dedicated processes > that look through message histories to find out behavior patterns indicative > of lists, and update their own internal whitelists. The query to the > whitelist upon message receipt is cheap because it's local; it's the analysis > that's expensive, but it's likely not done as part of the message receipt > pipeline. > > For small operators without such resources, they would import or query an > external whitelist, or the heuristic would amount to something akin to a > Spamassassin rule that, again, is just some string comparison operations, > updates to which are periodically updated, possibly automatically. > You could also log the IP of an email that fail DMARC but contains a List-Id or List-post header, and then every day review this log and add the relevant IPs in an DMARC-MLM override whitelist. A user subscribing to a mailing list, would loose just a few emails till the whitelist kicks in….
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
