----- Original Message -----
From: "David Woodhouse" <dwmw2(_at_)infradead(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, February 25, 2004 12:09 PM
Subject: Re: [spf-discuss] Why keep people thinking HELO checks provide a
loophole?
On Wed, 2004-02-25 at 10:45 +0000, Mark wrote:
Ok; but that is not an SPF issue; let alone an alleged weakness therein.
Indeed. It's just something which SPF could usefully be extended to
check. In fact makes far _more_ sense in this universe, right now, to
tie HELO to coming from certain IP addresses than it does MAIL FROM:<>
I'd be interested in a way to declare that for _any_ HELO argument
inside infradead.org, you should accept _only_ if there's an A or AAAA
record which points back to the connecting host.
A sensible precaution; and I do the same; but not at the location in the
Milter where I do SPF checks (earlier even). I just see such instance as
an other, SPF-unrelated, spam-indicator which gives me a nice early out,
before I even have to make an SPF query.
I'm not sure you mean the same thing. I really mean what I said -- I
want a way to declare to the world that 'HELO *.infradead.org' may only
come from my hosts; to avoid my name appearing in HELO elsewhere.
Oh; we were at cross-purposes here. I thought you meant *local* checks on
such incoming HELO strings that pretend to be from you. ;)
In particular, if you refused to accept a HELO argument from anyone
without a suitable PTR record which points back to the same name, you'd
refuse my IPv6 hosts, since the 2002::/16 6to4 range doesn't have
working reverse DNS (yet?).
It seems risky to base a decision on a PTR query of a HELO string.
Especially since I've come to regard HELO strings as almost completely
untrustworthy/irrelevant. Currently, I only really use them when I expect a
PTR lookup to pass, but it fails; then, if the HELO string produces an A
record that matches the client IP, I consider the host resolved after all.
And we digress; that topic doesn't belong on this list. My point was
just that if SPF supports a mechanism to limit HELO to coming from
certain IP addresses, it would be useful if one could publish such a
record without _any_ chance that hosts would also start checking that
MAIL FROM: the same domain is _also_ limited to those same IP addresses.
Agreed. I only came in, because I saw what seemed a long stream of posts
suggesting SPF had some major loophole, which I wanted to refute.
Cheers,
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx