By default, it seems SA will honor Received-SPF headers, while I would guess most people aren't inserting it at their MTA, so it's a great opportunity for spammers to forge the header to say their email passed SPF.
So, shouldn't it be disabled by default, by setting ignore_received_spf_header to 1? It seems like it would be nice to have a rule like (SPF_PASS && !SPF_IN_HOSTKARMA_BL) where SPF_IN_HOSTKARMA_BL is a lookup of the domain from the Received-SPF header in the hostkarma.junkemailfilter.com zone returning 127.0.0.2. Or any other domain blacklist. I just grabbed one from the bottom of http://www.sdsc.edu/~jeff/spam/cbc.html -- "You will need: a big heavy rock, something with a bit of a swing to it... perhaps Mars" - How to destroy the Earth http://www.ChaosReigns.com
