At 02:29 PM 4/21/2004 -0400, you wrote:
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
Subject: SPF and HELO
Date: Wed, 21 Apr 2004 11:51:48 -0400 (EDT)
I have just deployed an SPF check that is very effective for a mail server
that acts as a secondary for domains that publish SPF.
When there is no SPF record for MAIL FROM, I lookup the SPF record for
HELO, and reject the connection on fail,softfail,neutral.
Why the more stringent requirements? While a site may return neutral
or softfail because users are sending mail from alien sites without SMTP
AUTH or a VPN, there is no reason why an alien site should be using
someone elses domain name for HELO.
This check is effective because spam that uses the recipients domain
for HELO prefers to use a secondary MX rather than the primary.
Comments welcome (I wouldn't be surprised if this has already been
discussed).
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
******************* REPLY SEPARATER *******************
An interesting observation, and one that I back up. We list 4 MX servers.
The first two are the highest priority and are highly filtered. The last 2
are basically honey pots that feed a Dynamic Black List server. The Black
List server maintains a Black List of different IP addresses used in the
past 18 hours (varies from 800 to 2300). For reasons I can't explain, the
third priority server gets 5 times the hits of lowest priority server. They
obviously don't work from the bottom up, and I can find no evidence that
they start at the top and work down. At least not using the same IP address.
J.A. Coutts