Author: Peter Bowyer Date: To: exim users New-Topics: [exim] karmasphere.com Subject: Re: [exim] block domain SPF with v=spf1 +all
On 17/09/2007, Elijah Daniel <databug@???> wrote: >
> I've been searching the web on howto block domain with this SPF entry "v=spf1
> +all" on exim4 on debian but couldn't find howto do it. We are using Exim4
> on debian with spamassin installed.
>
> On SpamAssassin we have this rules
>
> header RCVD_SPF_PASS Received-SPF =~ /pass .+mydomain.com.: domain of/i
> describe RCVD_SPF_PASS SPF check for sender passed
> score RCVD_SPF_PASS -3
> score SPF_HELO_FAIL 2
>
> So Spamassassin will give score -3 on those mails with spf entry. I'm
> thinking of blocking the site on exim level, if exim could be setup to
> refuse to talk smtp server with that spf entry.
>
Better rethink your use of SPF. The simple fact of an SPF PASS,
whether or not the domain publishes +all, doesn't indicate anything
about the spamminess of a message. All it does is confirm that the
message came from the domain it claims to have come from.
What's missing is your (or someone you trust's) opinion or experience
about that domain. Use your own whitelists ("I trust mail from
domain1.com so an SPF PASS from that domain means 'ham') and
blacklists ("I know domain2.com are spammers, so an SPF PASS from that
domain means 'spam').
You could also look at third-party reputation services such as
karmasphere.com which can be integrated into Exim as DNSBLs.