In my experience the FORGED_*_RCVD rules do not always work well. At least, they don't play well with some job search sites.
I'm looking at an example right now of a message with a MAIL FROM of [EMAIL PROTECTED] (I'm assuming that's what you mean by "envelop from"). The "From header from" is the same. The received lines contain mx1.hq.ny.hotj.net and mailhost.hotjobs.com, but no yahoo. Hence, it matches on the FORGED_YAHOO_RCVD rule and, in this case, generates a false positive. Has anybody else seen this same issue? I don't see how SPF would avoid creating false positives in the same way. Proponents of SPF might argue HotJobs is not playing by the rules using the envelop from in this manner, but that doesn't really solve the problem for a business using SpamAssassin who wants to make sure resumes from such sites aren't blocked. We've seen similar cases with monster.com. If Yahoo were to implement the SPF scheme, would there be a case where FORGED_YAHOO_RCVD would match on a message the SPF rule would not? Thanks for the help! - Philip -----Original Message----- From: Justin Mason [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 12:59 PM To: Philip Tucker Cc: [EMAIL PROTECTED] Subject: Re: [SAtalk] Re: SPF Support in SA? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philip Tucker writes: > I have a couple questions about SPF and its usage in SpamAssassin. > > 1) Would SPF obselete the FORGED_*_RCVD rules? Not just yet, anyway. They work quite well for the most part ;) > 2) How does SPF deal with senders who are not forwarding a message, but > are sending on behalf of a user? > > We have seen the latter case often with resume sites. e.g., > [EMAIL PROTECTED] submits his resume to HotJobs and responds to a job > posting. An email is sent from whatever.hotjobs.com, but the MAIL FROM > is [EMAIL PROTECTED] We've gotten a lot of false positives this way if > the email address is Yahoo, AOL, or one of the others for which > SpamAssassin has FORGED rules. > > How would SPF address this kind of message? It's my understanding that > a DNS query would be sent to yahoo.com, which would respond with its > outgoing SMTP IP addresses - not containing HotJobs' IP - and cause the > message to be rejected. You're confusing "envelope from" with "From header from". In this case the jobs site is likely to use their own env-from. See http://spf.pobox.com/ for more details. - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Exmh CVS iD8DBQE//FcPQTcbUG5Y7woRApjDAKCN9FDROUMPS3DPmwvbGqyv75Xn2gCeN38f KjHiMNEDHDJkNsXB8dY4Leo= =9P/0 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
