How to whitelist ebay but not ebay spoofs?

George Schlossnagle
Thu Dec 16 00:16:06 UTC 2004

On Dec 15, 2004, at 6:51 PM, Vernon Schryver wrote:
>   - ${dcc_envelope_is_truthful} would not be quite right or not quite
>      as useful as it might sound.  In the unlikely event that not
>      merely publishing SPF RRs but checking them became popular,
>      phishers would buy and publish SPF records for it.
>      Notice the NANAS reports of phishing spam in

That was actually the point I was trying to make, probably not very 
clearly. :)  The existence of an SPF record (or valid DK signature or 
auth method xyz)  doesn't guarantee that the mail is good, only that 
the person is who they claim to be.  If they claim to be '', 
that's great,  because that domain will never be on my whitelist (and 
probably on an explicit blacklist).

I think those technologies (spf/dk/iim/senderid/etc.) belong in logic 

if authenticated():
   if domain is trusted:
   do whatever I normally do

>   - Saying that I don't think much of SPF grossly overstates my
>      enthusiasm.  I'll leave to your imagination what I really think
>      of using SPF for any purpose other than the one implied by the
>      reports that valid SPF RRs are commonly seen for spam.

While the technology has some flaws, I think that you might feel 
different if you consider it simply as stab at an authentication 
technology and not as an authorization technology.  Or maybe not.  :)


More information about the DCC mailing list

Contact by mail or use the form.