> On Nov 30, 2021, at 1:10 PM, Matija Nalis <mnalis-sa-l...@voyager.hr> wrote:
>
> On Tue, Nov 30, 2021 at 12:03:15PM -0700, Philip Prindeville wrote:
>>> On Nov 17, 2021, at 9:50 AM, Bill Cole
>>> <sausers-20150...@billmail.scconsult.com> wrote:
>>> SpamAssassin rules are not laws in any sense. They do not prescribe or
>>> proscribe any action. They do not reflect any sort of moral or ethical
>>> judgment. They do not express or define technical correctness.
>>
>> Isn't that exactly what we're discussing here? "Technical correctness"?
>
> Hm, no? App encoding pure ASCII is Base64 is not breaking any RFC?
> So it is behaving "technically correctly".
Again, Postel's Rule.
Excessive and unnecessary encoding isn't behaving correctly.
>
>> Good internetworking implementations follow (to the extent they don't
>> conflict with good security practices) Postel's Law, "be conservative in
>> what you send, be liberal [but not naive] in what you accept".
>
> Well, antispam efforts (as is security for important stuff) are
> mostly exactly the OPPOSITE of good internetworking implementations
> of the old Postel's law.
Yeah, they date from a more innocent time. Unfortunately Jon passed away
before he could adjust it for a more modern world. (He was one of my mentors
and I miss him, along with Bob Braden.)
> And for the good reasons - in the internetworking implementations of
> the old, the vast majority of peers (if not all) you interacted with
> were GOOD guys trying to do good things.
>
> In today e-mail (and security), the majority of the actors are
> enemies trying to penetrate your defensive lines.
That might be overstated.
> Also, see https://en.wikipedia.org/wiki/Robustness_principle#Criticism
I'm aware. Jon and I had a few arguments about this.
Including about how it weakened the effectiveness of Bake-Offs and
stringency/conformance testing.
>> Rereading:
>>> Base64 encoding is only necessary if there are non-ASCII characters used.
>>> UTF-8 is a superset of ASCII & it is normal for MUAs to not encode more
>>> than needed.
>>
>> Exactly. Encoding is only used when and where necessary.
>
> ...by legitimate users. Spammers on the other hand will sometimes
> encode even when it is NOT needed, probably in attempt to avoid less
> advanced antispam tools (or due to sheer laziness when writing spam
> tool).
>
> The fact that such encoding is tehnically allowed does NOT change the
> fact that the tecnique is vastly more used by spammers than by
> innocent parties.
I don't think anyone is arguing otherwise.
-Philip
>
>> Properly encoded HTML uses HTML-Entity naming, which is also ASCII-friendly,
>> i.e. é instead of Latin1 é etc. or raw 8bit characters.
>
> There are several "proper" (ie. allowed by different RFCs) ways to
> encode that information in mail. Statistical analyses seem to say that
> some of the ways are used much more by spammers then by legitimate
> users. Hence, the score for those methods.
>
> --
> Opinions above are GNU-copylefted.