I have just deployed an SPF check that is very effective for a mail server
that acts as a secondary for domains that publish SPF.
When there is no SPF record for MAIL FROM, I lookup the SPF record for
HELO, and reject the connection on fail,softfail,neutral.
Why the more stringent requirements? While a site may return neutral
or softfail because users are sending mail from alien sites without SMTP
AUTH or a VPN, there is no reason why an alien site should be using
someone elses domain name for HELO.
This check is effective because spam that uses the recipients domain
for HELO prefers to use a secondary MX rather than the primary.
Comments welcome (I wouldn't be surprised if this has already been
discussed).
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Very few of our customers are going to have a pure Unix
or pure Windows environment." - Dennis Oldroyd, Microsoft Corporation