On 08/26/2015 03:38 PM, Peter wrote: > On 08/27/2015 07:29 AM, Alice Wonder wrote: >> Maybe I'll start blocking any server with an SPF record that includes >> more than 5 IP addresses, > > That's not a very good idea. major ESPs (eg: gmail.com) have way more > IPs listed than that. Yeah, I thought about that. > >> or servers where any host in the SPF record is in a DNS blacklist. > > That could work better, but I would still say be careful, you could > certainly end up wih false positives doing this. I would try to count 2 before rejecting I think. Valid SPF reduces spam score with a lot of filter systems, but snowshoe spammers can just modify the record at will to add whatever smtp servers they currently are using. If they are going to use SPF records to lower their score then I will use SPF records to try to identify them. False positives are a risk with any automated filter, but whitelists like dnswl.org can help reduce that problem. I suspect if somesite.tld has MTAs in the SPF list that it actually uses and are on blacklists then somesite.tld already has mail delivery problems it needs to address.