On Thu, 15 Jul 2004, Nico Kadel-Garcia wrote:
But for example: let's say I target "aol.com" to allow me to send spam in
their name. I buy an address for which I get to publish the PTR, say
10.11.12.13. I set up a PTR record that calles this address
"spamsucker.mx.aol.com".
Voila, I am now able to slip past AOL's SPF records by having a PTR that
points to an mx.aol.com hostname. AOL will get cranky about it if they
notice me doing it, and ARIN will get upset about me creating a PTR to a
domain that I don't own, but there is nothing that demands that PTR's match
*ANY* of the A records for an IP address.
SPF, for one, demands that PTR's match the A record. For that matter,
every internet application I've ever used ignores PTR records that do
not match any A record for the name. Perhaps you known of some (made by
Microsoft?), but it is irrelevant since SPF specifically requires that PTR
records match with an A record for the name.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.