Re: [Asrg] Re: SPF abused by spammers

Markus Stumpf wrote:

On Fri, Sep 17, 2004 at 03:11:18PM +0000, Mark wrote:

Hello? Ever heard of HELO? :) Sending with en empty envelope-from,
to try and circumvent SPF, is pointless: checks are done against
HELO, in that case (as if tested against, say, postmaster(_at_)HELO).
Consequently, since there is nothing to prevent, there is nothing to
send "non empty" either (where empty was the case).


That was the reference I didn't find.

Which leads to the problem with

  HELO [10.0.0.1]
or
  HELO i222-150-67-241.s04.a013.ap.plala.or.jp

which would require all ISPs to add SPF records to all entities and
raises again the problems Barry Shein has addressed.

Well, only if that ISP allows people to send mail from their home IPaddresses. Otherwise, the ISP just has to create SPF records for its ownoutgoing mail servers.

If people on a home network get their own $9 bucks domain name, they could(and probably should) set their HELO string to their domain name, if theyare also sending from their home IP address(es). Then they can, themselves,publish, or have published, SPF records for that domain. Setting HELO totheir PTR (if unchangeable, and provided by the ISP, and in the above formatyou described), would not make much sense, in that case.

And: if I am a customer of some.isp and my current revDNS entry for
the IP I am using is

   1.0.0.10.rev.dsl.some.isp

should I be allowed to send a bounce on behalf of that address, i.e.
use the name or IP in the HELO string?

I doubt you'll get far with a 10.0.0.1 address. :) But, assuming a publicaddress, why should you not be allowed to send a bounce from that address?SPF "classic" does not check against your PTR; so, if you have proper SPFrecords for your domain/HELO, why not? If your HELO is set to your owndomain name, and an A record lookup of the HELO matches your IP address,you're in the clear.


- Mark


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg