Be careful of using spfpass. Spammers can use SPF, too! We do not give any credit for passing SPF, only a penalty for failing.... which too many email admins set up but allow their networks to send email from machines not listed in their SPF record :(.
Darin. ----- Original Message ----- From: "Nick Hayer" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Thursday, September 08, 2005 8:40 AM Subject: Re: [Declude.JunkMail] SPFPass - good or bad? Hi David - I like the spfpass test - coupled with filters it does help aginst false positives. [I prepend all my tests with the test type - thanks Kami! - it makes these filters easier to write -] Here is my spfgood filter - I score it with a -12: SKIPIFWEIGHT 26 TESTSFAILED END NOTCONTAINS TEST.SPFPASS TESTSFAILED END CONTAINS IP4R. TESTSFAILED END CONTAINS DNSBL. TESTSFAILED END CONTAINS RHSBL. TESTSFAILED END CONTAINS SNIFFER.. TESTSFAILED END CONTAINS EXTERNAL. TESTSFAILED END CONTAINS IPFILE.HOSTS TESTSFAILED END CONTAINS IPFILE.NETWORK TESTSFAILED END CONTAINS IPFILE.SUSPICIOUS #if it gets to here it is is clean REMOTEIP 0 CONTAINS . Here is my spfmaybe combo filter which I score with a -3: SKIPIFWEIGHT 26 TESTSFAILED END NOTCONTAINS TEST.SPFPASS TESTSFAILED END CONTAINS .SBL TESTSFAILED END CONTAINS .XBL TESTSFAILED END CONTAINS .CBL TESTSFAILED END CONTAINS .MPL #if it gets to here it is not listed in dnsbl's I trust TESTSFAILED 0 CONTAINS IP4RW. [whitelist ip4r tests] TESTSFAILED 0 CONTAINS DNSBLW. [whitelist dnsbl tests] -Nick David Dodell wrote: >I've noticed a bunch of spam with SPFPass grades that have negated the >spam databases (I have SPFPass at -5) ... is anyone finding that >SPFPass is working with spammers using legitimate ISP's? > >david > >----- >Internet Dental Forum www.internetdentalforum.org >Dentalcast Podcast www.dentalcast.net > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
