----- Original Message -----
From: "Greg Connor" <gconnor(_at_)nekodojo(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, February 26, 2004 12:51 AM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???
Did you not agree with the statement "checking HELO is not the design goal
of SPF," or did you not understand it?
No, I uncategorically, without a doubt, do not agree with it.
The client domain name as provided in the HELO/EHLO state of the SMTP state
machine *is very much part* of the SPF function specification validation
logic, alogythm, design goal, etc, etc, etc.
I think it is clear in the specs that "checking HELO is *ONE* of the design
goals of SPF"
The loophole is again non-null return paths has no provision to even check
for local domain spoofing which is the *Heart and Soul" f the LMAP based
proposals - to protect YOUR local domains (domains own by the MTA) from
spoofers.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com