On Tue, 19 Jun 2012 19:14:11 -0400 Jeff Mincy wrote: > From: RW <rwmailli...@googlemail.com> > Date: Tue, 19 Jun 2012 23:43:57 +0100
> If used sensibly USER_IN_WHITELIST is probably the most reliable > rule we have, for the overwhelming majority of addresses it's far > more accurate than spf based whitelisting. It's not always right to > treat users as idiots. > > Huh? What you mean by used sensibly? I mean, don't use it on well-known addresses, or if you're a candidate for spear-phishing and can't be trusted not to fall for it. Don't whitelist domains unless they are extremely obscure. > whitelist_from_rcvd is very reliable. Not if someone sends an email through a different mail system, which is a scenario where Bayes is much more likely to miss-classify and an FP is most likely. It's also broken by forwarding, like spf is. > whitelist_from is trivial to spoof. The overwhelming majority of email addresses are never spoofed.