You could "tag" messages though that originate externally, claim to be From and destined To domain. I've thought of doing that locally. You know, alter the Subject line with [PHISH?] or something like that.
However SPF is really a terrible tool. By design it operates on the envelope, which makes it trivial for phisher to use their own SPF data to make it look valid, then alter the From again later in the header to appear local. I see these often enough. Sender-ID from MS operates on the header instead, which has it's own problems. If you start rejecting based on SPF FAIL, you'd better examine your logs quite thoroughly for babies in the bathwater. My logs are filled with "legitimate" email (ahem) that I would reject on that basis that would make my users quite upset. ________________________________ From: Anthony Hoppe <aho...@sjcourts.org> Sent: Tuesday, August 9, 2016 3:19:27 PM To: Vincent Fox Cc: SpamAssassin Subject: Re: Spoofed Domain When you say SPF is not a good tool for filtering, do you mean that it shouldn't be used at all? Or if SPF_FAIL is triggered that an email should be rejected altogether? ________________________________ From: "Vincent Fox" <vb...@ucdavis.edu> To: "Anthony Hoppe" <aho...@sjcourts.org>, "SpamAssassin" <users@spamassassin.apache.org> Sent: Tuesday, August 9, 2016 3:09:02 PM Subject: Re: Spoofed Domain SPF is not a good tool for filtering IMO. Scoring? Why score them? If you get to the SpamAssassin layer with this you've already failed. Reject! We use ClamAV Foxhole databases, to severely restrict attachment types. Combined with a little bit of greet_pause, and a ton of greylist penalty against PBL and other internet ratholes, very little malware gets through. ________________________________ From: Anthony Hoppe <aho...@sjcourts.org> Sent: Tuesday, August 9, 2016 2:56:54 PM To: SpamAssassin Subject: Spoofed Domain Hello All, Although I've been a member of this list for a while, I'm still very much a n00b when it comes to SpamAssassin. So please keep that in mind when you read my message (don't hurt me!)... :-) Someone out there has decided to spoof our domain and send us spam. My first thought was that SPF checks were not working, but in analyzing the headers of a message one of our users received SPF_FAIL is triggering, but the weight is very low. My first thought is to increase the weight of SPF_FAIL, but I'm not sure what unintended consequences this may create? If increasing the weight of SPF_FAIL is not a good course of action, what do the mighty members of this list suggest? Here are the headers as an example: http://pastebin.com/bnU0npLR This particular email has a macro-enabled Word document attached, but I don't want to assume this will be the case every time. Any tips/tricks/suggestions would be greatly appreciated!
