On Thu, 15 Jul 2004 17:23:06 -0400, Nico Kadel-Garcia wrote
But for example: let's say I target "aol.com" to allow me to send
spam in their name. I buy an address for which I get to publish the
PTR, say
10.11.12.13. I set up a PTR record that calles this address
"spamsucker.mx.aol.com".
Voila, I am now able to slip past AOL's SPF records by having a PTR that
points to an mx.aol.com hostname.
All anyone has to do to foil this is check to see if 'spamsucker.mx.aol.com'
is an A record that points to your IP. Many MTAs already do this check as a
matter of course. I would *hope* that SPF checking code wouldn't trust any
PTR record that doesn't have a matching A record.