Hi Guys,
I'm a newbie on this list, and whilst I had a quick scan on the archive
I couldn't really find anything relevant.
My issue is with the use of PTR records in SPF. I've been having a
discussion with people on another list and feel that this opens the
gates slightly and should be re-thought.
I have an example to highlight the issue.
AOL publishes their SPF as:
"v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24
ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23
ip4:64.12.138.0/24 ptr:mx.aol.com ?all"
Now if I send them an email to someone from 212.58.152.252 it will fail
all the IP4 checks. However, it will pass the PTR check as it resolves
to 'spamfrom.mx.aol.com'.
By allowing PTR we are allowing anyone with a reverse DNS delegation to
invalidate the SPF record.
Regards,
Suneel.
P.S. Whilst 212.58.152.252 reverses this way, it is currently in use as
a subnet address and hence should not be making any connections.