----- Original Message -----
From: "Greg Connor" <gconnor(_at_)nekodojo(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, March 15, 2004 6:39 PM
Subject: RE: [spf-discuss] HELO Testing
You are correct... that is the proposal on the table anyway. SPF already
does this in the case of MAIL FROM: <> but you would only risk losing
bounces in that case. The proposal was to allow HELO to FAIL if obviously
forged, and keep going with MAIL FROM if pass/unknown/softfail, and the
HELO checking would be optional anyway.
Unfortunately there is no way to protect against HELO
localhost.localdomain
MAIL FROM: <> - that is out of the range of SPF. If people want to block
bounces (or all mail) from servers with clearly nonexistent HELO names,
that's their own business. (SPF also doesn't FAIL on nonexistent MAIL
FROM
domains either, but it's assumed that your mailer does that anyway.)
People need to remember what LMAP based proposals offers the best for your
system - protection against local domain spoofing.
When they use your domains, its a spoof. So why ignore it if presented? We
are averaging atleast 10% rejections based on this.
See our stats: http://www.winserver.com/sslinfo
For our wcSAP system, the new SPF logic will come with the option to define
whether to check all domains, not just locals. The default is all domains.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com