spf-discuss
[Top] [All Lists]

Re: What to include...

2004-10-04 15:20:48

----- Original Message -----
From: <administrator(_at_)yellowhead(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, October 04, 2004 5:40 PM
Subject: Re: [spf-discuss] What to include...


At 01:10 PM 10/4/2004 -0400, you wrote:
SPF classic, unified or whatever,  HELO checking is a requirement.  This
was
all hashed out and established over 1 year ago.


Sincerely,

Hector Santos, CTO
***************** REPLY SEPARATER *****************
I am sorry, but I believe William is right. Although some people pressed
for SPF checks on HELO as a requirement, all that was agreed to was SPF
checks on HELO if MAIL FROM: was null. HELO checks for non-null were left
as optional.

You need HELO checking otherwise this LOOPHOLE will continue to be a thorn
on the side.  I can't believe that after discussing this last year at length
and Meng finally agreeing,  that we are going at this once again.  It
doesn't make sense.

It doesn't make sense to have a provision for NULL return path HELO
checking, but then no provision when its NOT null.  That is illogical in
theory and it is proven to be true in practice.

12% of our rejections are based on NON-NULL return path HELO spoofs.   I
have real 1+ years worth of logs and stats to prove all this.

Before SPF was supported, we used DMP which has provisions to checks for
HELO.  When AOL added SPF support, we finally decided to get on the
bandwagon and added SPF support as well.   Since our system is sysop
configurable, both options were offered and both were turned on to allow for
comparison, especially to see how DNS overhead compared.

Then when we were satisfy with how SPF was going and DMP lacking support, we
deprecated DMP support, turned it off and immediately we started to get HELO
spoofs coming into the system that was previously trapped by DMP, but now
bypassed by SPF.

You need HELO checking.  You defeats the purpose.  Now, this can be done
independently of SPF1, but it is needed because it is a LOOPHOLE otherwise.

Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office



<Prev in Thread] Current Thread [Next in Thread>