spf-discuss
[Top] [All Lists]

RE: HELO Checking [Re: What to include...]

2004-10-05 20:25:08
> Personally, I am getting more confused as this discussion progresses.
>
>
> The machine name for our Sendmail server is Server1.yellowhead.com, and
> after discovering that it was not using this fully qualified name on the
> outbound HELO, it was corrected. However, this is not the name of any of
> the domains that it acts as mail server for. It is not possible to use the
> correct name for each domain on the HELO, because all but one of these
> domains are pseudo names. The only record you will find for
> Server1.yellowhead.com is an "A" record. There are no "MX" records or
"TXT"
> records.
>
> What is the point of checking anything on the fully qualified domain name?
> The Host name (Server1) has no meaning: only the domain name
> (yellowhead.com) portion will produce any meaningfull results as far as
SPF
> is concerned.


the problem is that you can't tell where in the FQDN a domain actually stops and becomes their ISP or a TLD which is why to SPF the "hostname" does matter.

HELO au01.mta.mycompany.myisp.au.com

where in this fqdn do i stop checking for SPF records?


obvious stuff;

1. every mail domain requires an SPF record for it's domain

2. every MTA that sends mail requires an SPF record for the HELO value it uses

3. with an RFC2821.FROM value an MTA will lookup the SPF record for the RFC2821.FROMs domain and check if the connecting IP address is allowed to send for that domain.

4. in the event of a "null" RFC2821.FROM (an NDR or spam) an MTA *may* lookup the SPF record for the RFC2821.HELO and check if the connecting IP address is allowed to send for that domain.

5. some implementations *will* check HELO before or after checking FROM (regardless of FROMs value)


in most cases points 1 and 2 are identical but there are some cases where they are not. yours is one of them.


MTA is SERVER1.YELLOWHEAD.COM
ip address is 111.222.333.444, it has no MX records, it has an A record


so, to allow mail (Point 1) for YELLOWHEAD.COM to be sent via SERVER1.YELLOWHEAD.COM we have;

(YELLOWHEAD.COM) v=spf1 a:SERVER1.YELLOWHEAD.COM/0 ?all


in other words any mail purporting to come from the domain YELLOWHEAD.COM must come from the single ip address that was resolved from the dns A record for SERVER1.YELLOWHEAD.COM. (the /CIDR needs to restrict it to a single address and i was never any good at working those out so /0 could be the wrong value for that purpose). If mail comes from any other ip address it will get a NEUTRAL result (unless you really want to use -all here to FAIL them instead - depends on how sure you are that mail will never come from anywhere else).

and that takes care of your "normal" mail messages and implementations where they don't check HELO.


but, if they do check HELO or you need to send an NDR (a bounce message with a null FROM) then you need to show via SPF that SERVER1.YELLOWHEAD.COM is allowed to send mail on behalf of the HELO it uses (Point 2) so we have;

(SERVER1.YELLOWHEAD.COM) v=spf1 a:SERVER1.YELLOWHEAD.COM/0 -all

in other words any mail purporting to come from the domain SERVER1.YELLOWHEAD.COM must come from the single ip address that was resolved from the dns A record for SERVER1.YELLOWHEAD.COM. (again check the /CIDR). If mail comes from any other ip address then it gets a FAIL result because we know that it will only ever come this server.

in your case the *only* time a message will come from the domain SERVER1.YELLOWHEAD.COM will be the NDR's from any of the hosted mail domains.

and that takes care of your "other" mail messages and SPF implentations where they do check HELO.



why is it good? HELO can be forged, FROM can be forged, if you don't check the IP address against the HELO then null FROMs with forged HELOs can be abused to get around SPF implementations where null FROMs are "ignored".

why is it bad? more dns lookups (but hopefully those get cached by an internal dns server and the spf records have long timeouts).


What most people keep forgetting is that SPF (v1) is NOT a spam filter/classifier, all it does is verify that an IP address is allowed to send mail on behalf of the domain given in FROM and/or HELO.

you can still get spam from these people just that now you can prove it's really them that spammed you. by not checking HELO means you still can't be sure which domain really sent the message.


ps. sorry about the length of the post.

_________________________________________________________________
Smart Saving with ING Direct ? earn 5.25% p.a. variable rate: http://ad.au.doubleclick.net/clk;7249209;8842331;n?http://www.ingdirect.com.au/burst6offer.asp?id=8