I'll comment on this before anyone else does. :-) > Author: quinlan > Date: Sun May 30 22:55:49 2004 > New Revision: 20683 > > Modified: > incubator/spamassassin/trunk/rules/70_testing.cf > Log: > removing T_SPF_PASS_NO_SBL - all of my hits are really spam
I don't think any one rule is sufficient to make a simple "does an SPF record exist" test worthwhile. The test needs to be paired with *actual domain names* that are known to be good senders. I took all SPF_PASS hits (318) in the last 14 days of corpus results and looked at the other rules hit on those spam messages: 318 SPF_PASS <- spammers with SPF records 247 HTML_MESSAGE 239 SPF_HELO_PASS <- both! 197 T_SPF_PASS_NO_SBL 169 URIBL_WS_SURBL 159 RAZOR2_CF_RANGE_51_100 157 URIBL_SBL 134 RAZOR2_CHECK 130 MIME_HTML_ONLY 121 T_SPF_HELO_PASS_NO_SBL 121 RCVD_IN_SBL 114 BAYES_99 112 T_RCVD_IN_SBL 106 URIBL_BE_SURBL 103 T_RATWARE_RCVD_PF_1 98 CLICK_BELOW ... long tail I don't think any small set of rules is sufficient. And if you include too many rules, then the entire point of having a negative rule is missed. We should be attempting to couple SPF pass with specific names. For example, it should be required for our default whitelist. Daniel -- Daniel Quinlan http://www.pathname.com/~quinlan/
