Joe Quinn wrote:
On 6/9/2016 11:23 AM, Robert Fitzpatrick wrote:
Excuse me if this is too lame a question, but I have the SPF plugin
enabled and it hits a lot. Should SPF_ something hit on every message
if the domain has an SPF record in DNS?
Furthermore, a message found as Google phishing did not get a hit on a
email address where the domain has SPF setup. Not sure if it would
fail anyway if the envelope from is the culprit?
In a perfect world, every message you scan will hit one of the following:
SPF_HELO_NONE
SPF_HELO_NEUTRAL
SPF_HELO_PASS
SPF_HELO_FAIL
SPF_HELO_SOFTFAIL
T_SPF_HELO_PERMERROR
T_SPF_HELO_TEMPERROR
And additionally one of the following:
SPF_NONE
SPF_NEUTRAL
SPF_PASS
SPF_FAIL
SPF_SOFTFAIL
T_SPF_PERMERROR
T_SPF_TEMPERROR
In practice, there's almost certainly a few edge cases where messages
can avoid getting one in either category. For purposes of writing your
own metas against these, the rules that matter most for measuring
spamminess are the none, pass, and fail/softfail results. The rest are
for total coverage of the results that an SPF query can yield, for
debugging and documentation purposes.
Also, none of these will hit at all if you disable network tests.
Yes, network tests are on. I have lots of messages hitting, it is harder
to find one that doesn't have hits as you suggested. However, I can find
several out of our database of 280K messages cached which do not hit any
of these rules. So, what would be a reason they didn't hit?
The only custom rule I have with SPF_* is with SPF_FAIL combined without
DKIM to give higher score:
meta WT_FORGED_SENDER (SPF_FAIL && !DKIM_VALID)
describe WT_FORGED_SENDER To score high when SPF fails without valid DKIM
score WT_FORGED_SENDER 8.0
Here is the score for this particular example:
2.095 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
1.000 XPRIO_SHORT_SUBJ (No description provided)
0.250 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
0.001 HTML_MESSAGE HTML included in message
0.001 HEADER_FROM_DIFFERENT_DOMAINS (No description provided)
0.000 RCVD_IN_DNSWL_NONE Sender listed at http://www.dnswl.org/, low
trust
-1.900 BAYES_00 Bayesian spam probability is 0 to 1%
-5.000 RCVD_IN_JMF_W (No description provided)
--
Robert
