On Tue, 6 Oct 2015 17:05:48 -0400 Kevin A. McGrail wrote: > On 10/6/2015 5:01 PM, Jered Floyd wrote: > > Ah; good eyes! > > > > That KAM_FACEBOOK rule is dangerous. > The behavior of forwarding content which effectively is the same as a > forgery is where the danger lies... If this is behavior that users > are performing, of course then there needs to be appropriate reaction > but overall, forwarding emails is going to cause issues with a ton of > domains and should be discouraged entirely.
Assuming that Facebook applies DKIM consistently, I think it would be better to replace: (SPF_FAIL + DKIM_ADSP_ALL >=1) with DKIM_ADSP_ALL && ! (SPF_PASS && __ENV_AND_HDR_FROM_MATCH) This eliminates most of the FPs caused by broken SPF without creating any extra scope for forgery. The full rule is then: meta KAM_FACEBOOKMAIL __KAM_FACEBOOKMAIL2 || __KAM_FACEBOOKMAIL1 && DKIM_ADSP_ALL && !(SPF_PASS && __ENV_AND_HDR_FROM_MATCH) (The use of __ENV_AND_HDR_FROM_MATCH is really a bit too strict - it might be useful to have an extra eval rule that only checks the domains.)
