spf-discuss
[Top] [All Lists]

Re: Why keep people thinking HELO checks provide a loophole?

2004-02-25 03:45:23
----- Original Message -----
From: "David Woodhouse" <dwmw2(_at_)infradead(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, February 25, 2004 10:02 AM
Subject: Re: [spf-discuss] Why keep people thinking HELO checks provide a
loophole?

On Wed, 2004-02-25 at 00:01 +0000, Mark wrote:

Why keep people thinking HELO checks provide a loophole?

HELO asarian-host.net
250-asarian-host.net Hello faker.com [1.2.3.4], pleased to meet you
MAIL FROM: <>

Now, why on God's green earth would this present a security hole?

It doesn't present a security hole. What it _does_ do, however, is
provoke clueless users into complaining to/about
postmaster(_at_)asarian-host(_dot_)net when they see the HELO arguments in
Received: headers; especially if they appear there with only an IP
address because the connecting host had no reverse DNS.

Ok; but that is not an SPF issue; let alone an alleged weakness therein.

That's worth avoiding, surely?

Sure.

It's safe, too. I'm perfectly justified in saying that no host out there
shall identify itself with 'HELO infradead.org' or 'HELO
*.infradead.org' except mine.

Absolutely. ;) In fact, I even maintain a local DNSBL with hosts who pretend
to be me (or one of the domains I host); and it already contains over 20,000
entries. My point however was, that while checking for bogus HELO strings is
certainly useful, from an anti-spam point of view, not checking thereon does
NOT present an SPF loophole, as has been suggested.

I will even up you one. :) A spammer who uses an empty envelope-from, thus
relying on his HELO string, is actually worse off in an SPF word. Because it
re-introduces domain name black-listing. Yes, of course he can register a
fake domain, and publish +all SPF records for it. Except that he just tied
himself to that domain. And that is costly. Because instead of sending out
addies with the AOL domain, he must now use his own domain(s). And that will
get him blacklisted a lot sooner.

I'd be interested in a way to declare that
for _any_ HELO argument inside infradead.org, you should accept _only_
if there's an A or AAAA record which points back to the connecting host.

A sensible precaution; and I do the same; but not at the location in the
Milter where I do SPF checks (earlier even). I just see such instance as an
other, SPF-unrelated, spam-indicator which gives me a nice early out, before
I even have to make an SPF query.

This would _have_ to be possible without _any_ chance that people will
do the same checks for MAIL FROM:<> addresses. Until the whole world has
implemented some non-broken form of SRS, of course I cannot justify to
my users the publication of SPF records which would prevent them from
sending their mail to people with .forward files.

SRS0 is not broken; SRS1 still has the outstanding issue, I believe, on
whether some sort of a verification callout should be made on the reversed
SRS0 address. I do not think it was decided yet. :)

Cheers,

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx