Dennis Willson wrote:
Well I must say that if all someone has to do is make the
<return-path> and the From addresses different to spoof my
(or an incoming) domain, then I don't see any usefulness in
SPF. What's the point if it's that easy to get around?
See also the other replies. Two points I can think of:
- your original example was a PayPal phish. PayPal has an
SPF sender policy, you'd get a PASS for legit PayPal mail.
So if you get anything else claiming to be somehow related
to PayPal, but it has no PASS, you'd check it carefully.
In all normal cases you either know why it has no PASS or
it's spoofed.
- if your MX gets a mail claiming to be MAIL FROM me then
it's most probably my spammer (=> SPF FAIL), otherwise
if it's really me you'd get a SPF PASS (see above)
You can then not only reject the FAIL, you can be almost
sure that the sending IP is a zombie controlled by a
spammer. Therefore you'd block it temporarily until you
are sure (= dubious IP shown by your ordinary blacklists)
Bye, Frank