>> Can we temper this rule with a check to see if the mail indeed did pass >> through >> a fb server? You're checking the From: header, which can obviously be easily >> spoofed, but perhaps if it originated from a facebook server?
This would be of limited value. As an MTA, you can only believe the present knowledge of who has connected to you which you add as a "Received" header. Anything earlier than that can be spoofed by the originator. So, it would only catch a naive spam. The DKIM signature being valid does what you ask -- DKIM means that the message originated from a server with access to the private key advertised in the public DNS for the facebookmail.com domain. I would argue that DKIM_VALID should trump the other parts of KAM_FACEBOOKMAIL, since I can't think of a case where you could have a valid signature on a spoofed message. Right now, that rules triggers if either of SPF or DKIM fails: meta KAM_FACEBOOKMAIL ((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1))) I would suggest that final "1" in the rule be increased to a "2". Then both SPF and DKIM would have to fail for this rule to trigger. I'm also really wary of rules that have scores as high as 8.0, but that's a separate (and debatable) matter. --Jered