----- Original Message -----
From: "David Brodbeck" <gull(_at_)gull(_dot_)us>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, July 20, 2004 9:42 AM
Subject: *****SPAM***** Re: *****SPAM***** [spf-discuss] Re: SPF is not
usable as legal measure against spammers.
On Thu, 15 Jul 2004 17:23:06 -0400, Nico Kadel-Garcia wrote
But for example: let's say I target "aol.com" to allow me to send
spam in their name. I buy an address for which I get to publish the
PTR, say
10.11.12.13. I set up a PTR record that calles this address
"spamsucker.mx.aol.com".
Voila, I am now able to slip past AOL's SPF records by having a PTR that
points to an mx.aol.com hostname.
All anyone has to do to foil this is check to see if
'spamsucker.mx.aol.com'
is an A record that points to your IP. Many MTAs already do this check as
a
matter of course. I would *hope* that SPF checking code wouldn't trust
any
PTR record that doesn't have a matching A record.
Sorry, I have repeatedly explained elsewhere that the PTR records cannot be
relied on to match the A record. It's a common and recommended practice to
do so, but it's hardly mandatory nor should it be.
And as stated by others, and which I can affirm: the check for a PTR in most
MTA's is merely a check that a PTR exists to avoid random email forgery from
unmanaged networks which are often used by viruses and spammers, not a check
against the A record, the published name in the "FROM" line of the SMTP
transaction, or anything else.