----- Original Message -----
From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Sunday, February 29, 2004 1:08 PM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???
In each case, SPF would by pass the spoofing of the winserver.com
domain. That is not a badly configured server, but one that is
maliciously spoofing the helo domain by using our local domain,
winserver.com
To say that SPF has a loophole here, because it does not check the
validity of the HELO string, is silly, really: the HELO string is simply
irrelevant in all your examples.
And what it is wasn't a SPF compliant return path domain?
Will you stop all other further checks?
Your reasoning is flawed, because you "appropriate" a functionality to SPF
which SPF never claimed to possess; and then you fault SPF for not having
it.
SPF protects domain owners against unauthorized IP addresses relaying
messages using these protected domain names in the envelope-from. With no
SPF compliant "return path domain" there is, of course, nothing to protect.
Also, you seem to have very little technical understanding of the
fundamental process and SPF, DMP or basic LMAP specifications.
Yeah, that must be it. :) LOL
However fake your HELO string may be, there is nothing you can put in there,
that will cause an SPF check to return "pass" when you try and send mail in
my domain name. Hence, there is no loophole.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx