"Hector Santos" <spf-discuss(_at_)winserver(_dot_)com> writes:
Right,
I understand what you mean matching atleast 2 levels to domains (TLD match
level equal 2 atleast).
But I am specifically talking about where the client literally issues:
HELO/EHLO domain.com
MAIL FROM: user @ domain.com
and
MFROM.DOMAIN == HELO.DOMAIN
It is a clear cut voilation if SPF(MFROM) returns anything but a FAIL or
PASS because the client is stating it is inside the secured autorized
sending network.
Not necessarily. Suppose the domain name is the name of a laptop
computer that sends mail from various IP addresses in addition to it's
primary (main) address. The laptop's owner might just publish a
record saying:
v=spf1 ?all
Such a setup is not even as unreasonable as it sounds, if, for
instance, the domain name has MX records pointing to a static mail
server and the sender uses BATV or SES or something to avoid unwanted
bounces.
That said, I wouldn't be surprised to hear that a lot of spammers just
issue the same HELO name as the mail-from domain. Thus, I can
understand why this rule might catch a lot of spam.
One good thing is that all the information you need to perform your
test should be available in the Received: and Received-SPF headers.
Thus, your suggestion might be an appropriate rule to add to add to a
score-based spam filter like spamassassin. If your mail server has
been adding Received-SPF (or the older SPF-Received) headers, you
might back-test the rule on an existing corpus to see whether it
reduces the number of false negatives without increasing false
positives.
David
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com