Exchange 2007 - I'm starting to see spammers that show a SCL: 0 because they have a valid SPF record. This seems new to me, that spammers actually have taken the time to setup valid SPF records. I've traced this back to a block /18 of IP's where the block owner has MANY questionable domain names on their network, but, the emails I see getting through the Exchange spam filter all show valid SPF records... Anyone else seeing this? You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free@rrohio.com (remove 999 for proper email address)

On Sun, 10 Apr 2011 20:36:25 +0000, Leythos wrote: >Exchange 2007 - I'm starting to see spammers that show a SCL: 0 because they have a valid SPF record. This seems new to me, that spammers actually have taken the time to setup valid SPF records. It's not new, it's been going on for years. In fact, it started almost immediately after SPF was introduced. SPF (or SenderID) isn't designed to do anything more than detect a spoofed address. Having a published SPF record for a domain might lend a little credibility to the sender's reputation but it shouldn't sway a spam filter enough to make spam into ham unless the spam is only marginally spammy. >I've traced this back to a block /18 of IP's where the block owner has MANY questionable domain names on their network, but, the emails I see getting through the Exchange spam filter all show valid SPF records... > >Anyone else seeing this? Are you using only the anti-spam stuff that come with Exchange? In my opinion, that's only barely adaquate. The AV engine in Forefront Protection for Exchange (i.e. Cloudmark) is much superior. Other AV products and services also provide superior results. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

In article <1181dfda-c7bb-47e7-8642- d2a8199750bf@communitybridge.codeplex.com>, Rich Matheisen [MVP] says... On Sun, 10 Apr 2011 20:36:25 +0000, Leythos wrote:   Exchange 2007 - I'm starting to see spammers that show a SCL: 0 because they have a valid SPF record. This seems new to me, that spammers actually have taken the time to setup valid SPF records.   It's not new, it's been going on for years. In fact, it started almost immediately after SPF was introduced.   SPF (or SenderID) isn't designed to do anything more than detect a spoofed address. Having a published SPF record for a domain might lend a little credibility to the sender's reputation but it shouldn't sway a spam filter enough to make spam into ham unless the spam is only marginally spammy.   I've traced this back to a block /18 of IP's where the block owner has M ANY questionable domain names on their network, but, the emails I see getti ng through the Exchange spam filter all show valid SPF records... Anyone else seeing this?   Are you using only the anti-spam stuff that come with Exchange? In my opinion, that's only barely adaquate. The AV engine in Forefront Protection for Exchange (i.e. Cloudmark) is much superior. Other AV products and services also provide superior results. Just the built-in MS Exchange 07 anti-spam and RBL's with a about 50 IP addresses being blocked. I'm trying to find a way for customers to be able to afford anti-spam services without having to pay a fortune. I normally install the WatchGuard firewall and the UTM services and find that their anti-spam works better than anything else on the market. In my case, for my company, I've disabled the anti-spam on the firewall and using just the Exchange 07 included anti-spam and RBL's with blocked IP lists, I've managed to cut down the spam to just 1-4 per day on some accounts, and others don't see 1 in a month. The thing that threw me was that if there is a valid SPF record the SCL is always set to 0 by it - shouldn't it be just another part of the score, not taking it to 0?   You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free@rrohio.com (remove 999 for proper email address)

On Mon, 11 Apr 2011 00:35:11 +0000, Leythos wrote: [ snip ] > Are you using only the anti-spam stuff that come with Exchange? In my opinion, that's only barely adaquate. The AV engine in Forefront Protection for Exchange (i.e. Cloudmark) is much superior. Other AV products and services also provide superior results. > >Just the built-in MS Exchange 07 anti-spam and RBL's with a about 50 IP addresses being blocked. > >I'm trying to find a way for customers to be able to afford anti-spam services without having to pay a fortune. I normally install the WatchGuard firewall and the UTM services and find that their anti-spam works better than anything else on the market. > >In my case, for my company, I've disabled the anti-spam on the firewall and using just the Exchange 07 included anti-spam and RBL's with blocked IP lists, I've managed to cut down the spam to just 1-4 per day on some accounts, and others don't see 1 in a month. > >The thing that threw me was that if there is a valid SPF record the SCL is always set to 0 by it - shouldn't it be just another part of the score, not taking it to 0? If it's just your assumption that it's a positive SPF test that's influencing the score to that extent why not just turn off the SPF checking for while? What are the SCL rankings then? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

In article <8221486f-30ce-4922-9fe1-2f8053a85488 @communitybridge.codeplex.com>, Rich Matheisen [MVP] says... On Mon, 11 Apr 2011 00:35:11 +0000, Leythos wrote:   [ snip ]   Are you using only the anti-spam stuff that come with Exchange? In my o pinion, that's only barely adaquate. The AV engine in Forefront Protection for Exchange (i.e. Cloudmark) is much superior. Other AV products and servi ces also provide superior results. Just the built-in MS Exchange 07 anti-spam and RBL's with a about 50 IP addresses being blocked. I'm trying to find a way for customers to be able to afford anti-spam se rvices without having to pay a fortune. I normally install the WatchGuard f irewall and the UTM services and find that their anti-spam works better tha n anything else on the market. In my case, for my company, I've disabled the anti-spam on the firewall and using just the Exchange 07 included anti-spam and RBL's with blocked IP lists, I've managed to cut down the spam to just 1-4 per day on some accou nts, and others don't see 1 in a month. The thing that threw me was that if there is a valid SPF record the SCL is always set to 0 by it - shouldn't it be just another part of the score, not taking it to 0?   If it's just your assumption that it's a positive SPF test that's influencing the score to that extent why not just turn off the SPF checking for while? What are the SCL rankings then? Good idea, I'll try that Monday and see if it helps and what the SCL's are with it off.   You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free@rrohio.com (remove 999 for proper email address)