Sounds good, I found this an interesting read about why SPF is ineffective:
http://en.hakin9.org/products/articleInfo/102 Quoting Kelson <[EMAIL PROTECTED]>:
Resending this since I originally sent it from a misconfigured client (forgot to enable SMTP-AUTH, but POP-before-SMTP let it through) and got labeled as spam by my own server... Repeat after me: SPF is not an anti-spam solution. It is an address validation solution. If a spammer puts 0.0.0.0/0 in his SPF record, or creates one that covers an entire botnet, great! When you get that spam, you know with 100% certainty that it really came from spammersdomain.com, and you can feel safe in blacklisting that domain. Similarly, if a legit domain sets up a tight enough SPF record, you can whitelist the combination of that domain with an SPF pass (i.e. SA's whitelist_from_spf). Don't think of SPF as a magic bullet. Think of it as one more piece of evidence you can use for building your case. From that standpoint, there's nothing wrong with setting up rules based on the breadth of an SPF record. Just treat them like any other SA rule, like whether the From: line has a name, or whether the subject is missing vowels, etc. Some legit mail is HTML (sorry, it's true). Some legit mail has no name in the From line. Some legit mail even consists of a mostly-numeric sender with no name, an image attachment, and not much else. (Ever seen someone send an image from a camera phone to an email address?) But we still use rules that track those traits because, when combined with other rules and a balanced score set, they help classify mail. -- Kelson Vibber SpeedGate Communications <www.speed.net>
