On 11/19/2010 3:13 PM, Michael Scheidell wrote: > Thought you would be interested, a facebook phishing email (yes, it is, > ) with SPF_PASS > (reminding EVERYONE, SPF IS NOT A SPAM VS HAM INDICATOR AT ALL)
Hi, SPF CAN BE YOUR FRIEND HERE: header LOCAL_FROM_FBM from =~ /\...@facebookmail\.com/i score LOCAL_FROM_FBM 50.0 whitelist_from_spf *...@facebookmail.com Of course, Facebook also uses DKIM so the third line above could just as well be: whitelist_from_dkim *...@facebookmail.com or even: whitelist_auth *...@facebookmail.com So in this case, SPF isn't a necessity, but it certainly works. I do similar things in various combinations for many commonly-forged domains. YMMV...
