On 19/11/2010 4:43 PM, Michael Scheidell wrote:
Thought you would be interested, a facebook phishing email (yes, it
is, ) with SPF_PASS
(reminding EVERYONE, SPF IS NOT A SPAM VS HAM INDICATOR AT ALL)
yes, I publish SPF, I used it in meta rules.
this one passed because sender used a envelope from in the ip range of
the spf rules.
<http://secnap.pastebin.com/zTmkSc6J>
ps, scored a 3.5 here. by now, hopefully, it scores higher with
razor/dcc/spamcop, urlbl, etc.
I'm not sure how SPF could pass on this one. The sending server doesn't
have the same domain name, nor is using an IP authorized in Facebook's
SPF records. SPF is supposed to confirm that the sending server is
authorized to do so for the domain, but that clearly fails here.
