At 04:45 PM 2/26/2004, Hector Santos wrote:
Again, if you go by the specs, you have a loophole which means that every
SMTP author has to take extra provision to address this specific issue
that is not part of the specs.
It depends on what you mean by "loophole." To my mind, and I suspect to
many people here, a loophole in SPF would be something that would enable a
spammer to cause a failed SPF check to pass instead.
A forged HELO string will no more punch through an SPF check than will a
forged Received header. Nor will it cause bounces to go to the forged
domain's real server. It's much less effective at fooling an end user than
simply forging the From line.
I can see that checking the HELO string against SPF data might provide some
*extra* benefit, but I would disagree that skipping such a check would
allow forged mail to bypass SPF.
Kelson Vibber
SpeedGate Communications <www.speed.net>