I'm currently running a centOS server with directadmin and custombuild. I keep getting spoofed phishing mails with spoofed from addresses that have SPF setup properly.
Spamassassin gives it a score 1.8, probably because the mail seem legit and other tests compounded result in a negative score. So negative score + SPF test score = 1.8
In directadmin you have ways to block mail, but this is looking at the from address, not the mailserver that is spoofing.
All mails have these same sending mailserver headers: Received: from cm17.websitewelcome.com (cm17.websitewelcome.com [100.42.49.20]) by gateway34.websitewelcome.com (Postfix)
IP addresses change and subdomains change. But if I can somewhere block all mail from *.websitewelcome.com my problem is solved for a while.
Can I block this somewhere in Postfix or Exim? Increasing SPF test score value is also an approach, but this can mark a lot of legit mails as well