This was my thought, as well. I have already found e-mail that I felt was spam that had valid SPF records.
I'm curious about this one -- could you let me know the domain?
I think whitelisting E-mail based on an SPF PASS probably isn't a wise idea, but I'm sure that spammers that do use SPF will be much easier to catch (they are providing a list of IPs that they may be spamming from <G>).
> I still have to read up on this some more and figure it all out, but am > I correct that this matches the MAILFROM address and not something else > like the the HELO?
I believe it is the domain part of the original sender's e-mail address that is queried for its txt record. Scott, is this correct? However, it appears to use the list servers domain address if sent from a mailing list.
Normally, it uses the return address of the E-mail (MAILFROM, from the X-Declude-Sender: header). However, if there is a NULL <> return address, or the address isn't valid ("postmaster", for example), then the domain in the HELO/EHLO will be used.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
