...
- use IP address info from the Received headers or the last untrusted relay, and combine that with the address to come up with a combined email-and-ip address, similar to how the AutoWhitelist does it.
- require that any whitelisted address be on a domain that publishes SPF records.
- MalteStretz: cross-checking against SPF for entries for which no routing information is avaliable (ie. addressbook entries etc) is a good idea. another possibility to avoid some FPs could be to exclude all domains which are equal to the recipient's one
- JustinMason: we have theorized that spammers could scrape addresses that occur in conjunction; e.g. together on a mailing list archive page, or a "contact us" page. I don't know if this has happened "in the wild" yet. viruses certainly already do it though.