Re: SPF PASS

william(at)elan.net wrote:
> On Thu, 26 May 2005, Terry Fielder wrote:
>
> > > The domain names in my EHLOs is completely disjoint from the set in my
> > > MAIL FROM and mail headers.  How is SPF going to handle that?
> > I believe you will find that the EHLO/HELO is only checked if the MAIL 
> > FROM fails.
>
> Why? Doing EHLO check is useful no matter if MAILFROM fails or passes!
> And it does not make any sense to delay it until MAILFROM when EHLO is
> the first identity parameter email server receives and this identity 
> that has very few failure cases with SPF (unlike MAILFROM)
Right, I fell into the the JL trap of thinking that the two domains had 
to be the same and yet represent something different.  But if its a 
relay server, the HELO *will* be different and consequently *will* use a 
different SPF record (if one exists).

> Also note that MAILFROM identity corresponds to original recipient 
> (unless every forwarder starts using SRS and you change its semantics,
> but that is unlikely) where as EHLO name corresponds to the mail system. 
> As John proper said, they are disjoint and should not be mixed.
> > I think I have heard of other implementations where:
> > If the EHLO fails, you check the MAIL FROM, and if that passes then it 
> > gets an SPF pass.
>
> Unless I'm mistaken SPF pass is specific per scope/identity checked and 
> there is no overall SPF pass.
That was not my understanding, but I accept being corrected if that's 
the case.
> > Either way, it doesn't matter if your EHLO fails (it does on many, 
> > maybe even MOST systems), because as long as your MAIL FROM is SPF 
> > PASS, then your mails SPF response on the whole is a PASS, and is not 
> > negatively affected.
> > PS  This is from memory, one of the developers are better qualified to 
> > answer this question, if you don't trust my answer, but the 
> > generalization is at least correct, AFAICT.
> > When it comes time to using the authorization to compare to domain 
> > black/white listing, then the MAIL FROM domain and the EHLO/HELO 
> > domain could be used as a query to the lists.
>
> You should not query different identities on the same reputation service,
> I believe that is a possibility for unpredictable and incorrect results
> and reputation systems must be setup for each specific identity in 
> question.
I disagree, a domain may authorize RELAY.com to relay his email.  But if 
RELAY.com is notoroious for sending spam (from his other customers he 
relays for), then when I check the HELO name I may want to reject the 
mail from RELAY.com because of his bad spamming reputation even if the 
"MAIL FROM" domain is SPF PASS for said relay.
Consider the case when RELAY.com is actually SPAMMER.com, and once 
SPAMMER.com is black listed you want to keep blocking mail from him even 
if he registers other throwaway domains to pretend his server 
SPAMMER.com is relaying for.  A thumbs up on the reputation of 
THROWAWAY.com may want to be ignored if a thumbs down occurs for the MTA 
SPAMMER.com
> ----
>
> BTW, for those who do not participate at spf-discuss and don't know -
> I'm writing paper on email identities and how they are used in path and 
> cryptographic authentication methods (i.e LMAP and MASS) for anti-spoofing
> protection. This is very much on the topic of what has been discussed 
> here and on ietf-smtp about good and bad points of each proposal.
> You can find the latest public draft at:
>
> http://www.elan.net/~william/emailsecurity/path_and_cryptographic_authentication-draft-limited-07.htm 
>
> Comments on the content, especially if I got anything wrong are 
> appreciated.
--
Terry Fielder
terry(_at_)greatgulfhomes(_dot_)com
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085