On Mon, 4 Oct 2004, Hector Santos wrote:
You need HELO checking otherwise this LOOPHOLE will continue to be a thorn
on the side. I can't believe that after discussing this last year at length
and Meng finally agreeing, that we are going at this once again. It
doesn't make sense.
Proper HELO SPF records are mandatory for the publisher, so you won't have
a problem with revised spec.
12% of our rejections are based on NON-NULL return path HELO spoofs. I
have real 1+ years worth of logs and stats to prove all this.
You are free to continue doing HELO checks. The sender is required
to support them.
HOWEVER, they are optional for the receiver because policy may vary.
I accept SPF PASS for MAIL FROM *or* HELO - and I have logs and stats
since January 2004 to prove that this works best for my customers.
They have customers in Africa and other 3rd world places where mail
servers are not always configured up to our standards.
You need HELO checking. You defeats the purpose. Now, this can be done
independently of SPF1, but it is needed because it is a LOOPHOLE otherwise.
HELO checking is required to be supported. But receivers are not required to
implement it the way you do. It should be no skin off your back if
some body you don't know gets more spam that you do. You can continute
checking for a proper HELO with SPF PASS.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.