spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PTR validation

2003-12-11 15:30:02
from [Meng Weng Wong] [Permanent Link] 
On Sun, Dec 07, 2003 at 07:56:29PM +0100, Philipp Morger wrote:
| OK... I give it a shot... 

sorry, i didn't get to look at this message until now.

| 
| One note for developers, or the RFC-Editor of SPF, it might look obvious but 
I want 
| to point out that there might be a certain "hole" in the ptr mechanism:
| 
| assume I know that MTA mta.example.com allows mail from 
ptr:backuphost.example.com - when 
| I enter a PTR for my IP that points to backuphost.example.com then I'm in.
| 
| You have to verify that the IP's PTR also has a matching forward record! 
(which in 
| turn might IMHO an A, AAAA or CNAME record)
| 

that's true; i have put in some pseudocode in the latest version of the
draft to explain PTR forward validation.

5.4 'ptr'

   This mechanism tests if the <sending-host>'s name is within a
   particular domain.

        PTR = 'ptr' [ ':' domain-spec ]

   First the <sending-host>'s name is looked up using this procedure:
   perform a PTR lookup against the <sending-host>'s IP.  For each
   record returned, validate the host name by looking up its IP address.
   If the <sending-host>'s IP is among the returned IP addresses, then
   that host name is validated.

   Pseudocode:
     PTR-lookup(sending-host_IP) -> sending-host_names
     for each name in (sending-host_names) {
       A-lookup(name) -> IP_addresses
       if the sending-host_IP is one of the IP_addresses {
         validated_sending-host_names += name
       }
     }

   Check all validated hostnames to see if they end in the <target-name>
   domain.  If any do, this mechanism matches.  If no validated hostname
   can be found, or if none of the validated hostnames end in the
   <target-name>, this mechanism fails to match.

   Pseudocode:
     for each name in (validated_sending-host_names) {
       if name ends in <domain-spec>, return match.
       if name is <domain-spec>, return match.
     }

   This mechanism matches if the <target-name> is a parent node of the
   <sending-host>, or if the <target-name> and the <sending-host> are
   the same.  For example: "mail.example.com" is within the domain
   "example.com", but "mail.bad-example.com" is not.  If a validated
   hostname is the <target-name>, a match results.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SPF developers mailing list created, Meng Weng Wong
Next by Date:  Next step - SMTP server changes, Jon Bertrand
Previous by Thread:  Re: IPv6 slashes, Jasper Wallace
Next by Thread:  [registrars] yahoo announces new anti-spam measure (fwd), Mark Jeftovic
Indexes:  [Date] [Thread] [Top] [All Lists]