On Sun, Feb 29, 2004 at 07:59:53AM -0500, Hector Santos wrote:
There is no loophole.
There is a loophole. I proved it many times.
Hector:
You think of it as a loophole. Others think of it as a design choice.
A choice that MAY be flawed but you have not PROVEN that. You are stating
an opinion, not a fact.
Then again: I am NOT against your opinion.
All:
What problems may be expected when the HELO|EHLO string is checked every time,
not just when the RHS of "mail from:" is empty?
If the HELO string can be resolved to an SPF record, and if the domain owner
has control over the SPF record (a given fact IMHO), forgery can be detected?
In stead of debating examples that are either non-relevant or loophole, maybe
we should debate examples where SPF would result in false positives without
the domain owner being able to correct the situation.
Suppose SPF would be used to check HELO in all cases:
DNS records:
domain.tld MX 0 mail1
MX 1 mail2
TXT "v=spf1 mx -all"
mail1 A a.b.c.1
TXT "v=spf1 a -all"
mail2 A a.b.c.2
TXT "v=spf1 a -all"
* TXT "v=spf1 -all"
1.c.b.a.in-addr.arpa PTR mail1.domain.tld
2.c.b.a.in-addr.arpa PTR mail2.domain.tld
All mail is send with RHS "domain.tld", or as the null sender.
mail1 uses "HELO mail1.domain.tld".
mail2 uses "HELO mail2.domain.tld".
I believe that in this setup, no system may use "domain.tld" in HELO,
unless it is one of the MXes of this domain. If so, then changing SPF
so that it always checks HELO would not result in FPs.
The only two "problems" (and I don't consider these to be real problems) are:
- mail could be sent as "user(_at_)mail1(_dot_)domain(_dot_)tld", but only from
the MXes.
- hosts could announce as "HELO domain.tld", but only the MXes.
Both are under control of the domain owner => not a real problem.
cheers,
Alex
--
begin sig
http://www.googlism.com/index.htm?ism=alex+van+den+bogaerdt&type=1
This message was produced without any <iframe tags