Hector Santos wrote:
I am sorry, but I believe William is right. Although some people
pressed for SPF checks on HELO as a requirement, all that was agreed
to was SPF checks on HELO if MAIL FROM: was null. HELO checks for
non-null were left as optional.
You need HELO checking otherwise this LOOPHOLE will continue to be a
thorn on the side. I can't believe that after discussing this last year at
length and Meng finally agreeing, that we are going at this once again.
It doesn't make sense to have a provision for NULL return path HELO
checking, but then no provision when its NOT null. That is illogical
in theory and it is proven to be true in practice.
12% of our rejections are based on NON-NULL return path HELO spoofs.
Sigh; here we go again...
HELO spoofs, within SPF, are utterly self-defeating. That is, no A record
lookup is required even on a HELO string. Simple example: I can use
"pobox.com" as my HELO name; and, without any A record lookup on my bogus
HELO string even, you can do an SPF check on this HELO name, and watch my
relay be unauthorized and FAIL. That is because HELO and IP, within SPF, go
together like a horse and carriage: if I make my HELO foreign to my IP
address, then the result of an SPF lookup on that HELO name must also always
be a result which does not include my IP address. Unless someone publishes
with +all, of course.
I cannot believe that, after a year, you are still peddling the "LOOPHOLE"
fear.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx