----- Original Message -----
From: "Alex van den Bogaerdt" <alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, March 11, 2004 5:02 AM
Subject: Re: [spf-discuss] Latest proposal re HELO checking: make HELO tests
optional
On Thu, Mar 11, 2004 at 03:53:55AM -0500, Hector Santos wrote:
Yes, but all validation including the return path is suspended until the
RCPT is determined.
[snip]
OK, I'm not writing clearly enough. Rephrase:
If you receive "mail from: <user(_at_)RHS>" will you be doing a validation
call back (mail from:<whatever>; rcpt to:<user(_at_)RHS>) without having
checked that the domain RHS allows ip address a.b.c.d to use that RHS?
If not, you will be probing innocent victims.
On an unrelated note, I don't agree with this "probing innocent victims"
statement and I don't want to get into the CBV philosophical debates.
But no, I don't know if you "snipped" too soon or didn't read the message.
As I indicated, the suite of wcSAP anti-spam methods do include LMAP lookups
with the CBV being the final test.
What WCSAP does is (in this configurable order)
FILTER check (reads sysop defined white/black list)
RBL check
SPF check
DMP check (turned off at the moment)
CEP check (Microsoft stuff)
CBV check (call back verifier)
If you want to see how it works, go to http://www.winserver.com/testwcsap
and play around. Turn on the high verbosity to get the full wcSAP log.
(Note, CEP is not included in the current production server version).
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com