HELO and MAIL FROM are separate identities; reputation on a per-domain b

Terry Fielder wrote:
> William Leibzon wrote:
> > You should not query different identities on the same reputation
> > service, I believe that is a possibility for unpredictable and
> > incorrect results and reputation systems must be setup for each
> > specific identity in question.
William is right.  You should not confuse "example.com-the-HELO-domain" 
with "example.com-the-MAILFROM-domain".

You should not query "mailsenders.reputation-provider.com" for HELO 
identities or "mtas.reputation-provider.com" for MAIL FROM identities.

> I disagree, a domain may authorize RELAY.com to relay his email.  But if
> RELAY.com is notoroious for sending spam (from his other customers he
> relays for), then when I check the HELO name I may want to reject the
> mail from RELAY.com because of his bad spamming reputation even if the
> "MAIL FROM" domain is SPF PASS for said relay.
Well, this scenario is actually one of the strengths of SPF (and other 
sender domain authentication methods).  Even if relay.com sends a lot of 
spam, if you _do_ trust them to prevent cross-user forgery[1], you may be 
able to still successfully get your own legitimate mail through, because 
receivers don't necessarily have to block on the relay.com MTA IP address 
any more, but can assess reputation on a per-domain basis instead.

References:
 1.  
http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-01.html#cross-user-forgery

pgpxl3VPu087w.pgp
Description: PGP signature