I want to say no, purely based on the idea that if that were the case all my inboxes - spreads across several providers - would be overwhelmed with spam? Surely the (organised, educated) spammers are all over this sort of thing and would be using that to break through?

That's what I would assume too, but one of the slides very specifically claims:

> The presence of an arc=pass generally guarantees a better spam score. Confirmed with ProtonMail. Seems to be the case with Gmail and Outlook as well.

And it doesn't seem like there's anything that would prevent me from adding this to my own emails. I don't think it would turn blatant spam into non-spam, but it seems like it could help something that's already teetering on the line.

I want to test this now heh!

Nobody in the email world considers ARC to be a bulletproof way to bypass spam filtering at a major receiver. The DEFCON presenter was ill-equipped to make that determination.

> bulletproof way to bypass spam filtering

Yeah that's definitely not what I meant or what the presenter seems to be implying. If it helps spam scores even a little bit, that's very interesting and potentially worth implementing in private hosts that often get dinged by larger hosts just for not being well-known. It doesn't need to get anywhere near turning actual spam into non-spam.

I've worked in anti-spam since 2003. I am skeptical that his claims about ARC work at scale. Google does not have a rules-based spam filtering system. It is entirely driven by a massive machine learning model that adjusts its weights in response to user interaction. You can't beat that model.

> It is entirely driven by a massive machine learning model that adjusts its weights in response to user interaction. You can't beat that model.

Why not? Spammers do. I get spam to my gmail all the time.

Yep, I see phishing style spam (email from random domain that claims to be my bank) in my gmail in the past few weeks.

> You can't beat that model.

Sign up for a google apps account and send outbound cold sales spam via gmail. Seems to work exceedingly well judging by my inbox.

… I should have carved out a space for cold prospecting. I’m using GPT-3.5 to detect it in my own inbox because bulk spam filters don’t seem to have the requisite power to deal with such highly customized messages at scale.

They’ll be detecting based on spam received from the sending domain soon enough.

> I've worked in anti-spam since 2003.

By that you mean 2003 was the first year this vulnerability was reported to you, and every year since you've been auto-replying "nothing to see here" when people kept reporting this vulnerability to you?