> >> Thanks for the info Bret. What I've come up with is this:
> >
> >> header _FROM_DOMAIN From ~= /example\.com/i
> >> header _SPF_TRUE /\bSPF_FAIL\b/
> >> meta DOMAIN_SPF_TRUE (_FROM_DOMAIN&&_SPF_TRUE)
> >> score DOMAIN_SPF_TRUE 10.0
> >
> >> Will this work?
> >
> > Kinda, with few changes:
> >
> > header __FROM_DOMAIN From ~= /\bexample\.com\b/i
> > header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/
> >
> > This will make sure you get example.com and not
> myexample.communists.
> > However, the From header is *really* easy to spoof, so this
> isn't much
> > of a check. You would probaly be better off looking for
> the host name
> > in one of the received headers.
> >
> > You also need to give a target to the second header test. I used
> > "ALL" to search all of the headers for the string you want.
> However,
> > if you know the name of the header you are looking for, you could
> > better do something like
> >
> > header __SPF_CHECK SPF_FAIL:Exists
> >
> > Assuming the header was named "SPF_FAIL"
> >
> > Note also you want two leading underscores, not one, on those meta
> > parts, so the final line becomes:
> >
> > meta DOMAIN_SPF_TRUE (__FROM_DOMAIN && __SPF_TRUE)
> >
> >
> > Loren
> >
> Hi Loren
>
> Thank you very much. I'll give it a try. The final filter
> will then look
> like this?
>
> header __FROM_DOMAIN From ~= /\bexample\.com\b/i
> header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/
> meta DOMAIN_SPF_TRUE (__FROM_DOMAIN&&__SPF_TRUE)
> score DOMAIN_SPF_TRUE 10.0
>
> Just a question though.. This whole process happens in
> Spamassassin...
> Will there be a SPF_FAIL in the header already at the time of this
> check?? I get the feeling there won't..
If the SPF test is happening in SA anyway, then you can reduce this to
two rules:
header __FROM_DOMAIN From ~= /\bexample\.com\b/i
meta DOMAIN_SPF_TRUE (__FROM_DOMAIN&&SPF_FAIL)
score DOMAIN_SPF_TRUE 10.0
SPF_FAIL is part of the standard rule set in 25_spf.cf. No sense in
checking the condition twice.
Bret
