On 9 Aug 2016, at 17:56, Anthony Hoppe wrote:
My first thought is to increase the weight of SPF_FAIL, but I'm not
sure what unintended consequences this may create?
There are a substantial number of domains with overly-restrictive SPF.
There are also still transparent forwarders out there that will cause
SPF_FAIL for *ANY* domain with a '-all' default. There are even still
some "mail this page to a friend" gadgets on websites that use any
address they are given as the sender.
If increasing the weight of SPF_FAIL is not a good course of action,
what do the mighty members of this list suggest?
It depends on how well-controlled the legitimate uses of your domain's
addresses are. You should definitely look at your logs and see if
there's any legit(ish) inbound traffic with your users' addresses as
senders before doing anything to filter on that basis.
If you determine it to be safe, you can add a local rule that matches
your domain in the envelope sender address (NOT the From header) and a
meta rule that combines that with SPF_FAIL to score much higher, e.g.:
describe LOCAL_MY_USERS Envelope sender is in my domain
header LOCAL_MY_USERS EnvelopeFrom =~ /\@mydom.example.org/
score LOCAL_MY_USERS -0.1
describe LOCAL_MY_USERS_SPOOF Claims to be from one of my users in
violation of SPF
meta LOCAL_MY_USERS_SPOOF LOCAL_MY_USERS && SPF_FAIL
score LOCAL_MY_USERS_SPOOF 4.5
You could also make the first one an unscored rule by using '__' as the
1st 2 characters of the name and not giving it a score, if you'd rather
not have it show up in hit lists.