spf-discuss
[Top] [All Lists]

Re: Latest proposal re HELO checking: make HELO tests optional

2004-03-11 03:02:05
On Thu, Mar 11, 2004 at 03:53:55AM -0500, Hector Santos wrote:


Are you by any chance doing dynamic RCPT validation _without_ making sure
the RHS is valid?

Yes, but all validation including the return path is suspended until the
RCPT is determined.

[snip]

OK, I'm not writing clearly enough.  Rephrase:

If you receive "mail from: <user(_at_)RHS>" will you be doing a validation
call back (mail from:<whatever>; rcpt to:<user(_at_)RHS>) without having
checked that the domain RHS allows ip address a.b.c.d to use that RHS?

If not, you will be probing innocent victims.


Why do I ask?  You were reasoning the spammer could use an invalid username
at an authorized RHS.  Then you talked about rcpt validation.

mail from:<spammer(_at_)RHS>       SPF checking...  +all ==> OK
rcpt to:<victim(_at_)yourdomain>   rcpt checking... "victim" does exist
response:  go ahead

Even at this stage things could go wrong.  Maybe not in your product but
there will be setups where at a later stage it is decided the message
cannot be delivered, or it is delayed, or ..., or ..., or ...

Sending the bounce back to <spammer(_at_)RHS> may result in a double bounce,
unless verification was done (probe to <spammer(_at_)RHS>).  From the 
combination
of sentences you used, I understood you _are_ probing the local part of
the remote RHS.

cheers,
Alex
-- 
begin  sig
http://www.googlism.com/index.htm?ism=alex+van+den+bogaerdt&type=1
This message was produced without any <iframe tags


<Prev in Thread] Current Thread [Next in Thread>