spf-discuss
[Top] [All Lists]

Re: Latest proposal re HELO checking: make HELO tests optional

2004-03-09 20:06:37

----- Original Message ----- 
From: "Alex van den Bogaerdt" <alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net>
To: "SPF discussions" <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, March 09, 2004 7:25 PM
Subject: Re: [spf-discuss] Latest proposal re HELO checking: make HELO tests
optional



On Tue, Mar 09, 2004 at 11:39:38AM -0600, wayne wrote:

You appear to still be advocating using the MAIL FROM address to send
bounces to.  As a result, you are advocating abusing innocent third
parties.

Excuse me but I must be missing something here.

If SPF validated the envelope sender, why would I risk sending bounces
to innocent third parties?  Bounces are not evil per se.

I can
-1- receive a message, adding a flag to its headers stating the SPF status
-2- scan the message after receiving it (SA, virusscanner)
-3- store the message for a couple of days (store and forward system)
-4- find that I cannot/should not deliver the message to the final
    destination because it contains bad content (-2-) or because the
    user does not pick up its mail (-3-)
-5- check the SPF status flag and
  -5a- decide to send a bounce (for SPF passed messages)
  -5b- decide to drop (for SPF failed, SPF unsure)

If people want to receive bounces, hey, implement SPF and make sure it
is setup properly.

In my technical opinion, the best way to operateis to perform dynamic RCPT
validation at the SMTP level so that you can avoid bounces in the first
place.

In step 5a,  you can have a SPF compliant spammer who uses a bad address but
compliant domain so that it SPF-passes the test.  But since you did not
perform dynamic RCPT validation,  your system is now overloaded with bounces
that will expire and never make it.

By using dynamic RCPT validation, if ultimately the user is unknown, you can
eliminate all of the steps above because the message shouldn't be received
in the first place, further more, you can lower your SPF overhead since you
don't need to call it until a known RCPT is provided.   Not only will you
improve your operation, but you also help contribute to minimizing SPF
related DNS query network bandwidth.

Yes, I perfectly understand there are some legitimate reasons why a system
may want to operation in post RCPT validation mode.  But I think this
"contributes" to the spamming problem, not help it, and it makes your
overall system logic more complicated as you listed above.

Simple analogy of real world dynamic vs post validation and the complication
with the latter:

o Dynamic Validation System:

Phone: Ring..... Ring......

Receiver:  "Hello?"
Caller:  "Bill there?"
Receiver: "Sorry Wrong Number"
Caller:  "Ok Sorry dude. Bye!"
<click>

o Post Validation System:

Phone: Ring..... Ring......

Receiver:  "Hello?"
Caller:  "Bill there?"
Receiver: "Who is it?"
Caller:  "Tom"
Receiver: "Tom who?"
Caller:  "Tom from Chicago"
Receiver: "Tom from chicago? I don't know any tom! What you want?"
Caller:  "I would like to speak to Bill."
Receiver: "what do you want?"
Caller:  "Is Bill there?"
Receiver:  "Maybe, maybe not! what do you want?"
Caller: "Dude! Is this the right number?"
Receiver:  "Maybe, maybe not! what do you want?"
Caller:  "Tell Bill I'll be arriving at Miami Airport 7pm FT 223 friday"
Receiver:  "Ok, I'll jot it down. Anything else?"
Caller:  "Yeah, tell him to pick me up and don't be late"
Receiver:  "Ok, anything else?"
Caller:  "No, thanks Bye!"
<click>

Receiver yells out: "Hey, is there a bill here?"
Other:  "No bill here! Who was that?"
Receiver: "Some guy bom or rob or something. Said he was from chicago"
Other: "Did you get his number? You better call him back."
Receiver: "I got his caller ID."

Dialing Caller ID...........  ring, ring.......

Operator message:  "This phone booth does not accept incoming calls."

Receiver: "Oh crap!  They guy dialed the wrong number from a phone booth!"
Receiver: "Maybe I should of check first if bill is here!"
Other: "Yeah,  bummer"

<g>  Yeah, stupid, but dynamic validation is better all the way around.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com








<Prev in Thread] Current Thread [Next in Thread>