Meng, this is all very simple.
Adjust SPF to validate LOCAL DOMAIN spoofing as a predominate requirement.
Remember, that is what most people are going to want first over everything
else.
"I need to protect my system first, then I'll check the other guy
second."
Geez, that is what got us involved in this work in the first place - when we
started to see the criminal fraud mis-representation of our domains and
email address as return paths.
If the equation for a good total system is:
SPF + MTA w/ HELO/EHLO domain checking = Good System
then that needs to be stated in the "functional" (not technical)
specification otherwise you have a loophole. The technical specification
describes how it actually implemented.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
----- Original Message -----
From: "Meng Weng Wong" <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, February 24, 2004 10:55 AM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???
On Tue, Feb 24, 2004 at 09:50:53AM -0600, wayne wrote:
|
| I think it my be useful to do SPF checking on the HELO string, and
| reject the connection if the SPF check fails, but let it pass
| otherwise.
Yes, that will probably be helpful.
But if the goal is to prevent bad guys from using your name in any way,
it may not work: suppose I own domain.com.
HELO bogussubdomain.domain.com
HELO doma1n.com
HELO domain.com.INTERNET
will all pass the test (unless in the first case there's a *.domain.com
TXT record) and cause users to generate abuse reports to domain.com.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/spf-draft-20040209.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡