On 8/8/2013 4:49 PM, John Hardin wrote:
On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote:
SPF is _by itself_ not useful as a spam sign.
If you're seeing a lot of facebook spam that fails SPF because it's
being forged, then a rule that checks SPF_FAIL *IF* the mail claims to
be from Facebook, and adds a point or two, would be more reasonable.
In our setup, we get good results from outright blocking any SPF fails
using policyd-spf (python version) during the SMTP transaction and we've
only had to whitelist a handful of badly configured servers. We block
about 4% of all inbound messages by blocking on SPF FAIL.
So I'd argue that SPF FAIL is a pretty good indicator that the message
is very likely to be spam. But in our setup, those messages never get
that far.
SPF PASS, however, is not a good indicator either way.
