I think whitelisting E-mail based on an SPF PASS probably isn't a wise idea, but I'm sure that spammers that do use SPF will be much easier to catch (they are providing a list of IPs that they may be spamming from <G>).
If I was a spammer, I would use this to my advantage. These guys collect 2,000 IP's at a time, and move around their blocks in order to avoid being perma-listed in the RBL's already, and turning on and off some SPF listings can't be that much more difficult.
But, they then have to register domains to publish the SPF records with. That leaves a new area for exploration -- finding the registrars they are using, checking WHOIS information, NS records, etc. If SPF E-mail was being whitelisted, it would be very useful for the spammer. But if it subtracts 10 points from the weight of the E-mail, it isn't going to be enough to make it worth the while for spammers to do this.
Normally, it uses the return address of the E-mail (MAILFROM, from the X-Declude-Sender: header). However, if there is a NULL <> return address, or the address isn't valid ("postmaster", for example), then the domain in the HELO/EHLO will be used.
I'm not sure if this is in the RFC, but it would be a lot more accurate if you could compare the HELO to the SPF data. Some scripts to also falsify the HELO, but no where near the number of forged domains in MAILFROM.
The original design for SPF allowed for that, but the current one does not. I'm not sure why that was changed.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
