1
Delete incoming messages SPF_Fail only selected domains
Question asked by BMark - 11/18/2015 at 3:55 AM
Answered
Hi everyone,
 
can you  automatically delete Incoming messages only from selected domains in the event SPF=Fail  on SM14 ?
 
thank you
 
 
Marco

6 Replies

Reply to Thread
1
Joe Wolf Replied
Marked As Answer
Sure you can if you allow domains to override spam settings and you have SMTP Blocking enabled for the server.  Just override the domain spam settings and add enough weight to SPF Fail that it triggers SMTP Blocking.
 
I'm not sure why you want to base everything off of SPF but it can be done.
 
-Joe
Thanks,
-Joe
0
BMark Replied
Hi Joe, thanks for the reply,
 
I'm sorry, I maybe I explained bad,
 
I want to block incoming messages from fake senders, such as email senders xx@apple.com sent by mail-server spam (phishing) that does not have permission to send (SPF_fail).
I would make a list of domains to apply this rule, not all, because many domains do not have SPF.
 
How could I do?
 
Marco
0
Joe Wolf Replied
Same answer. If a domain does not have a SPF record it will not fail SPF, but would return SPF none.

-Joe
0
BMark Replied
yes, you're right, but sometimes it happens that some domains have incorrect configuration of SPF and resulting "fail" they would be eliminated.
What weight of SPF you can recommend me?

Thanks very much
0
Joe Wolf Replied
Well I have a much different philosophy about spam filtering than most here. I use a much simpler (and faster) configuration the eliminates duplicate weighting, etc. The bottom line is that there is NO single test that can determine if a message is spam or ham. We are a fiduciary and have the responsibility to account for every single message... as a result any message must fail at least two major tests to be considered spam. I do not consider SPF Fail as a major test and have minor weight on it alone. Many valid messages fail or softfail SPF. If we blocked every message from a server or domain that had an idiot that doesn't know how to configure things properly we'd be throwing out a LOT of valid messages. That's not the business we're in. We're in the business to make sure we deliver every single valid message, but also try and eliminate or quarantine most all the spam (we catch about 99% of it and that's fine).

We we poll our customers with the following two questions the results are overwhelmingly (82% for the second question this year) decisive:

1. I would like 100% of my incoming spam messages to be blocked or eliminated and I'm willing to miss some of my valid messages as a result.

2. I will accept a little spam to insure that every valid message is delivered to me.

We SMTP Block the worst of the worst (fail 3 or more major tests).
We quarantine anything spam level low or above that was not SMTP Blocked and send a daily report to each user that had a message quarantined giving them the time, sender, and subject of the message along with instructions on how to retrieve any of them from the Junk E-Mail folder (or how to add a false positive to their Trusted Senders List).

We don't bother with more than dozen or so RBL's and only three URIBL's. I know there are hundreds of RBL' out there, but only a few have a long term solid reputation that we trust. Many of the others are biased or have a personal agenda what we don't want any part of. We also make sure we aren't doubling up on weights... that's a dangerous thing to do.

So that's the long story. SPF alone is not enough of an indication that a message is spam for us to block it... or even consider it spam.

-Joe
0
BMark Replied
Thanks Joe, you have absolutely right

Reply to Thread