----- Original Message -----
From: "Meng Weng Wong" <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, February 23, 2004 4:12 PM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???
You've lost me :) ... can you explain to me what the desired benefit is?
I must be missing the value of the HELO machine name.
Per RFC 2821, the HELO machine name in "theory" must be associated with the
connecting client IP address. Of course, for legacy reasons, it is not
enforced.
Systems like SPF, DMP adds enforcement.
SPF lookup logic adds a loophole in this regard.
Actual example:
Client IP: 222.156.67.110
00:46:39 S: 220 winserver.com Wildcat! ESMTP Server v5.7.450.9b13 ready
00:46:40 C: HELO winserver.com
00:46:40 S: 250 winserver.com, Pleased to meet you.
00:46:40 C: MAIL FROM:<op(_at_)tpts1(_dot_)seed(_dot_)net(_dot_)tw>
This returns a SPF-none result, but more importantly the HELO domain is
spoofed with no SPF provision to check it. DMP would of stopped this.
I have a proposal/solution if you want to hear it. But I need to see you
agree it is a problem.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com