On Aug 8, 2013, at 10:49 PM, John Hardin <jhar...@impsec.org> wrote:
> On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote: > >> For SA 3.4.0, it says in 50_scores.cf: >> >> # SPF >> # Note that the benefit for a valid SPF record is deliberately minimal; it's >> # likely that more spammers would quickly move to setting valid SPF records >> # otherwise. The penalties for an *incorrect* record, however, are large. >> ;) >> >> However, ".001" does not seem LARGE to me at all. I would expect at least a >> "1". Right now there is tons of facebook spam out there that clearly fails >> SPF, such as the following: >> >> >> X-Spam-Status: No, score=2.407 tagged_above=-10 required=3 >> tests=[BAYES_50=0.8, DKIM_ADSP_ALL=0.8, >> HTML_FONT_LOW_CONTRAST=0.001, >> HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, RDNS_NONE=0.793, >> SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no >> >> How is .001 in any way considered a "large" penalty? > > SPF is _by itself_ not useful as a spam sign. > > If you're seeing a lot of facebook spam that fails SPF because it's being > forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from > Facebook, and adds a point or two, would be more reasonable. > Facebook dkim signs all their emails with the domain facebookmail.com, so you may have better luck using the ADSP rules...
