Hello! I have noticed a few phishing attempts trapped in the IMF on my SBS 2003 SP1 server with Exchange SP2, and some that got through, that claim to be from some rather major domain names (banks, auction sites). When I look up to see if they have an SPF record, they all have the softfail "~all" at the end of their SPF records instead of the "-all" hardfail tag. It seems a waste of time to have an SPF record if one is not going to set it to hardfail on a spoof attempt. Why not just use the "-all" at the end? What am I missing? Gregg Hill -- ---------------- DISCLAIMER WARNING: the information contained in any reply I make is merely an OPINION, one that I hope you will consider when you make a choice as to what you will do on your systems or network. **No recommendation is to be implied by my OPINION.** There, that should cover it!
Leythos, I understand your points, but my question was more towards the point that if one is going to set up an SPF record for one's domain, why not have the "-all" had fail instead of the "~all" soft fail. I mean, if one goes to the trouble of setting up an SPF record in order to prevent spoofing of one's domain (provided the receiving system checks SPF records), why bother with SPF at all if one is not going to hard fail it when spoofed? It does not make sense to me why such major domains would put in a soft fail rather than a hard fail when their domains get spoofed. If they had a hard fail "-all" in their records, then my server could block all spoofed mail purporting to be from their domains. Right, it lets it through because their SPF records are set to soft fail. Gregg Hill -- ---------------- DISCLAIMER WARNING: the information contained in any reply I make is merely an OPINION, one that I hope you will consider when you make a choice as to what you will do on your systems or network. **No recommendation is to be implied by my OPINION.** There, that should cover it!
That these organisations don't necessarily actually know that they've identified all their outbound mail servers. If they have missed any while setting up the SPF record, and they set it for -all ("this list is definitive"), they'll get a ton of undeliverable mail. If instead they opt for ~all, their outbound mail will continue to flow. A really good anti-garbage filtering system will use SPF results to influence further testing. The IMF does not fall into that category, as it's only a basic filtering tool.
Well, that makes sense. I have seen a few recommendations for ORF. I have downloaded the trial, but have not installed it yet. Do you know if ORF uses SPF records in its spam checking? Gregg Hill -- ---------------- DISCLAIMER WARNING: the information contained in any reply I make is merely an OPINION, one that I hope you will consider when you make a choice as to what you will do on your systems or network. **No recommendation is to be implied by my OPINION.** There, that should cover it!
Hmm, SPF has been around for about 3 or 4 years now. I s'pose in the grand scheme of things you could still call that "new".