On Wed, 1 Dec 2004, John Leslie wrote:
CSV really _isn't_ about whether a HELO string is a forgery: it's
about whether the domain listed in the HELO string authorizes an
authenticated IP address to act as a SMTP client, and takes some
(loosely specified) responsibility for email it sends.
I agree. However if CSV does its job *properly* then HELO forgery
elimination is a side-benefit. By "properly" I mean that a domain's admin
can fully specify their authorization policy without leaving gaps where
CSA says "dunno". If these gaps exist then spammers will simply move into
them, and there won't be any decent foundation on which to base the
reputation services that are supposed to be CSV's killer feature.
The reason I'm going on about this is that CSA is supposed to be a
security policy (because it's about authorization), and its patchy
coverage is a gaping hole.
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
MALIN HEBRIDES: NORTHEAST 4 OR 5 INCREASING 6. RAIN LATER. GOOD BECOMING
MODERATE.