On 10/14/2016 3:43 PM, Kris Deugau wrote:
Petr Bena wrote:
Is there any way to get spam assassin to actually figure out that e-mail
is spoofed even if it's obviously easy to figure out?
Consider the case of, oh, say, this message. Or virtually every other
interactive mailing list on the Internet.
Were you to do an SPF check on the From:, you would see it softfail,
because so far as your incoming server is concerned, it does not
originate from the allowed 209.91.128.0/26 IP block that matches the SPF
record for vianet.ca, it originates from the list server.
There are many more similar cases where the From: has no technical
relation, just a real-world business relation, to the envelope sender
address.
On the other hand, SA is a points-based system. If you checked SPF
based on the From header, you could then whitelist known list servers
and other exceptions and add a point or so to the rest. If you set the
score at 0.001 and monitored the non-spam hits for a while, you could
probably come up with a pretty good list of exceptions before upping the
score. (Of course this assumes you are in a position where you can
legally look at the messages passing through your system.)
It could be helpful, or there could be too many exceptions to be
useful. I'd say it's worth a try to see what happens.
--
Bowie
