If someone is sending out mail that gives HELO mail.verisign.com that is not
VeriSign then it deserves to go in the bit bucket regardless.
If on the other hand a VeriSign mailer is saying HELO mail.cybercash.com or
whatever it is unlikely to cause problems.
I don't see how CSV makes any difference here. The motives and objectives
that are imputed to network admins are all hokum as far as I can see.
If you really think this is necessary then the reasonable way to go about
deployment is to propose an approriate SPF context flag. Proposing
deployment of an entirely new record as CSV does is utterly unhelpful in my
view.
-----Original Message-----
From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Dave
Crocker
Sent: Sunday, January 09, 2005 5:27 PM
To: ietf-mailsig
Subject: RE: Web pages for MASS effort
On Sun, 9 Jan 2005 21:24:02 +0000, Tony Finch wrote:
SPF isn't good enough for HELO verification, because it
doesn't have
a way
of distinguishing between a HELO name that is invalid for
legacy reasons
and a HELO name that is invalid for malicious reasons. CSA
will have a
mechanism to do this.
This kind of mechanism is less necessary for mail domains
(SPF's main
target) than for HELO names, because a mail domain MUST
have a valid
MX,
A, or AAAA record in the DNS, whereas historical practice
allows HELO
names to be completely bogus. About a third of sites rely
on this loop
Yes.
More generally, we need to be careful not to conflate
statements about authorship with statements about operations.
The From/Sender/MailFrom domains involve folks directly
involved in the content. HELO involves an agency that is
providing transport, pretty much independent of content.
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
WE'VE MOVED to: www.bbiw.net