On Thu, 21 Apr 2011 12:55:38 -0400, [email protected] wrote: > By default, it seems SA will honor Received-SPF headers, while I would > guess most people aren't inserting it at their MTA, so it's a great > opportunity for spammers to forge the header to say their email passed SPF.
this header could be removed in mta, and readded if spf pass in mta, its just not any stable milters that does it so far, but if headers is removed and added it most likely invalidates dkim if remote signed it > So, shouldn't it be disabled by default, by setting > ignore_received_spf_header to 1? agree > It seems like it would be nice to have a rule like > (SPF_PASS && !SPF_IN_HOSTKARMA_BL) > where SPF_IN_HOSTKARMA_BL is a lookup of the domain from the Received-SPF > header in the hostkarma.junkemailfilter.com zone returning 127.0.0.2. Or > any other domain blacklist. I just grabbed one from the bottom of > http://www.sdsc.edu/~jeff/spam/cbc.html or report to spamhaus dbl zone, if thats possible ?
