SPF wildcards by spammers

[Matt Kettler]

Scott Silva wrote:

>>
> I see a lot of legit senders that are either testing SPF or are just 
> clueless and set their records this way. Even the wizard at the openspf 
> site sets ~all instead of -all, and people probably just run the wizard 
> and copy and paste.

Well, ~all or even ?all is one thing.. +all is something totally different.

~all isn't what I would call "anything goes".. that's a soft-fail. Most domains 
should be using that instead of -all anyway, but that's a personal opinion.

I'd call +all an "anything goes" situation. That would probably be worth scoring 
positive on.

> If the spamassassin people haven't bumped up a score over things like 
> this, I would have to say that it will have too many FP's. They have a 
> large corpus of messages to test against.

Certainly at the ~all level, that's common.

In fact, I'd postulate that most folks using -all have screwed up, and the fact 
that SPF_SOFTFAIL (~all) has a higher S/O than SPF_FAIL (-all) supports that.

(It appears lot of naive and eager admins jump straight in at -all without 
thinking about their network. This causes more FP's. Most of the cautious admins 
have thought it through, but still use ~all to be even more cautious.)