Why keep people thinking HELO checks provide a loophole?
HELO asarian-host.net
250-asarian-host.net Hello faker.com [1.2.3.4], pleased to meet you
MAIL FROM: <>
Now, why on God's green earth would this present a security hole? What, you
think just because people use my domain name as HELO string, that they now
have a fake pass-key? Of course not! I will make an SPF-check against
'asarian-host.net', and find, O surprise, that 1.2.3.4 is not a permitted
sender host!
The false notion seems to have crept in, that just because the HELO string
is an unreliable variable, that therefore checks against the HELO string are
also unreliable. Not so! Because the IP of the spammer is still a constant
in this equation: he can set Mohammed to the mountain, but not the mountain
to Mohammed! :)
SPF runs in slightly 'degraded' mode when it encounters an empty
envelope-from + a HELO string set to a non-SPF compliant host. But the
penalty for the spammer is equally limiting, if not more severe: in 'DSN
mode' delivery is also degraded, and restricted to a single recipient. And
if your host sends out SRS envelope-froms, and rejects on anything but an
SRS signed recipient, in case of MAIL FROM: <>, the spammer is effectively
shut off.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx