SPF is not a good tool for filtering IMO.
Scoring? Why score them? If you get to the SpamAssassin layer with this you've already failed. Reject! We use ClamAV Foxhole databases, to severely restrict attachment types. Combined with a little bit of greet_pause, and a ton of greylist penalty against PBL and other internet ratholes, very little malware gets through. ________________________________ From: Anthony Hoppe <aho...@sjcourts.org> Sent: Tuesday, August 9, 2016 2:56:54 PM To: SpamAssassin Subject: Spoofed Domain Hello All, Although I've been a member of this list for a while, I'm still very much a n00b when it comes to SpamAssassin. So please keep that in mind when you read my message (don't hurt me!)... :-) Someone out there has decided to spoof our domain and send us spam. My first thought was that SPF checks were not working, but in analyzing the headers of a message one of our users received SPF_FAIL is triggering, but the weight is very low. My first thought is to increase the weight of SPF_FAIL, but I'm not sure what unintended consequences this may create? If increasing the weight of SPF_FAIL is not a good course of action, what do the mighty members of this list suggest? Here are the headers as an example: http://pastebin.com/bnU0npLR This particular email has a macro-enabled Word document attached, but I don't want to assume this will be the case every time. Any tips/tricks/suggestions would be greatly appreciated!