----- Original Message -----
From: "Meng Weng Wong" <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, February 23, 2004 11:27 PM
Subject: [spf-discuss] the role of the HELO domain
| I have a proposal/solution if you want to hear it. But I need to see
you
| agree it is a problem.
I agree it is a wonderful way to detect spam,
SPF doesn't detect spam. It validates sender machines. Isn't that the
whole point? To add accountability?
but I don't think that test belongs in SPF; why not perform the test
separately from SPF?
I was with DMP. Well I have no choice now to keep it in or come with a
variant SPF solution which is what I am working out now.
Pobox.com for instance provides many per-user configurable spam filters,
and rejecting a bad HELO is one of them. But it is not tied to SPF.
Meng, I think this will have a negative impact on SPF. You should address
it. Sort of defeats the purpose. The whole point of SPF is to validate
sender machines. The enforcement of client machine domain and client IP is
one of them, in fact I consider it more important than the MAIL FROM.
This is the kind of "relaxation" that has made the SMTP specification broken
in the first place yielding the problematic results we have today. You
have been blessed with a unique opportunity to make a significant dent in
the mail industry just by the sheer fact there you have gain a following,
especially with large organizations. Now is the time to address the
loopholes. Not later. In my opinion, I envision you will see this be a
very frequent issue to come up.
"Hey, it is obvious that the sender machine is spoofing. How come
SPF does not trap this?"
I think SPF should check for local domain spoofing as a priority first above
anything else.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com