|
I can
contribute a complementary test. In this forum we've harangued over
whether SPFPASS is useful and generally agreed that the bulk mail companies
can use it, yet you don't want their mail. Also, that anybody that
implements SPF probably runs their mailserver and DNS configuration such that
they won't get held by your Declude JunkMail anyway.
Well,
for two months I've been running this with good success with JunkMail
Pro...
I use
SPFPASS as a flag. Based on that flag, I then check whether various
reliable RBL tests have triggered that would indicate that the message is from a
bad guy. Based on SPFPASS being triggered, and none of my RBL tests being
triggered, I then give the message some counterweight.
This
has worked very well, and I've had only one specific false-positive (an ISP that
has SPF set to allow their client space to send mail as the ISP's own
domain). This showed up because of a virus on their client space that
honestly reported the sender's address (Zafi) when it was sent to
us.
There
is another class of false-positives, which is those nuisance bogus virus
notifications, but those are heavily weighted on my system with more text
filters, so those never make it to a mailbox. I don't do anything to try
and counteract those in this file.
#Test
definitions in my global.cfg
SPFPASS spf pass x 0 0
#Oct-07-2004 AC Reward mail that triggers SPFPASS, but only if the
spammer isn't a known bad guy.
SPFGOOD filter D:\IMail\Declude\SPFGood.txt x 0 0 #Contents of SPFGOOD
TESTSFAILED END NOTCONTAINS SPFPASS
TESTSFAILED END CONTAINS SBL
TESTSFAILED END CONTAINS MPBL TESTSFAILED END CONTAINS SNIFFER TESTSFAILED END CONTAINS SPAMDOMAINS TESTSFAILED END CONTAINS SPAMDOMMAILCOM TESTSFAILED END CONTAINS SPAMDOMLOCAL TESTSFAILED END CONTAINS MAILPOLICE TESTSFAILED END CONTAINS HIL #We
may need to add extra exclusions here, for badly implemented SPF
records
#that we're not interested in helping, e.g. dccnet.com lists PTR in the #record, but all of their dynamic client IP space also ends with this, #which essentially lets all their viruses and junk come from them. REVDNS END ENDSWITH
.dccnet.com
# If
we get this far, SPFPASS was triggered and the bad guy isn't a
#well-known spammer. It may be a dynamic IP, though. I'm not testing #against those, because I think it is more likely that if someone has #SPFPASS, then the dynamic IP listing is the false positive. This may #change when spammers try to make smarter use of their trojan'ed zombie #machines and create more 'infrastructure' with them on disposable #domain names. REMOTEIP -7 CONTAINS .
#Let's
also check if they are an IADB member see
X-IADB-URL
#http://www.isipp.com/iadb.php #This should really be a completely separate test with verification, but #maybe later. HEADERS -5 CONTAINS
X-IADB-
|
Title: Message
- RE: [Declude.JunkMail] SPF Success Colbeck, Andrew
- RE: [Declude.JunkMail] SPF Success Markus Gufler
