On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote:
For SA 3.4.0, it says in 50_scores.cf:
# SPF
# Note that the benefit for a valid SPF record is deliberately minimal; it's
# likely that more spammers would quickly move to setting valid SPF records
# otherwise. The penalties for an *incorrect* record, however, are large.
;)
However, ".001" does not seem LARGE to me at all. I would expect at least a
"1". Right now there is tons of facebook spam out there that clearly fails
SPF, such as the following:
X-Spam-Status: No, score=2.407 tagged_above=-10 required=3
tests=[BAYES_50=0.8, DKIM_ADSP_ALL=0.8,
HTML_FONT_LOW_CONTRAST=0.001,
HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, RDNS_NONE=0.793,
SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no
How is .001 in any way considered a "large" penalty?
SPF is _by itself_ not useful as a spam sign.
If you're seeing a lot of facebook spam that fails SPF because it's being
forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from
Facebook, and adds a point or two, would be more reasonable.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Christian martyrs don't explode. -- Marisol
-----------------------------------------------------------------------
7 days until the 68th anniversary of the end of World War II