Re: [Asrg] misconception in SPF

Martijn Grooten <martijn.grooten@virusbtn.com> Mon, 10 December 2012 13:48 UTC

Return-Path: <martijn.grooten@virusbtn.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 763BE21F8E25 for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 05:48:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.134
X-Spam-Level:
X-Spam-Status: No, score=-10.134 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uocekMXPs7Ta for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 05:48:48 -0800 (PST)
Received: from mx5.sophos.com (mx5.sophos.com [195.171.192.175]) by ietfa.amsl.com (Postfix) with ESMTP id 80B7F21F8C02 for <asrg@irtf.org>; Mon, 10 Dec 2012 05:48:47 -0800 (PST)
Received: from mx5.sophos.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4A692540B55 for <asrg@irtf.org>; Mon, 10 Dec 2012 13:48:46 +0000 (GMT)
Received: from abn-exch1b.green.sophos (unknown [10.100.70.62]) by mx5.sophos.com (Postfix) with ESMTPS id 5975A540B72 for <asrg@irtf.org>; Mon, 10 Dec 2012 13:48:08 +0000 (GMT)
Received: from ABN-EXCH1A.green.sophos ([fe80::67:3150:dacd:910d]) by abn-exch1b.green.sophos ([fe80::dc96:facf:3d2c:c352%17]) with mapi id 14.02.0247.003; Mon, 10 Dec 2012 13:47:19 +0000
From: Martijn Grooten <martijn.grooten@virusbtn.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Thread-Topic: [Asrg] misconception in SPF
Thread-Index: AQHN0+ufsqH0dJXpZk22wCV06nTFZ5gMNOaAgAASggCAALs6AIADkeEAgABtQPSAACMogIAAfLtKgAAmAwCAAClNow==
Date: Mon, 10 Dec 2012 13:47:18 +0000
Message-ID: <0D79787962F6AE4B84B2CC41FC957D0B20AD01B2@ABN-EXCH1A.green.sophos>
References: <20121206212116.10328.qmail@joyce.lan> <50C1A95A.5000001@pscs.co.uk> <50C4A7F8.3010201@dcrocker.net> <CAFdugamTbTirVV2zXKOmc9oTaCS+QiTemhT=jvYJnHYscHQK7g@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACE6D0@ABN-EXCH1A.green.sophos> <20121209213307.D90C12429B@panix5.panix.com>, <CAFduganBR_E-ui-3Xbic6F7qSmg1-Q+ideXLvb+1isLz8OF0Nw@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACFFE1@ABN-EXCH1A.green.sophos>, <50C5A9A0.105@pscs.co.uk>
In-Reply-To: <50C5A9A0.105@pscs.co.uk>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.100.64.11]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Asrg] misconception in SPF
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 13:48:49 -0000

Paul Smith wrote:
> It doesn't really even matter who the email is from if you're going to
> click on links - all that matters is where those links go.

While not all bad things that can happen as a consequence of taking a fake email to be real involve clicking links, I agree it would be very helpful if we could somehow determine the legitimacy of links at the MTA/MUA level.

However, we can't. There are simply too many examples of bad links that match the sender's address (paypai being just one of them) and even more examples of 'good' links that don't match, that in general you can't tell from just analysing the URL.

Martijn.

________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.