At 02:08 AM 10/6/2004 -0400, "Raymond Neeves"
<raymond_neeves(_at_)hotmail(_dot_)com>
wrote:
but, if they do check HELO or you need to send an NDR (a bounce message with
a null FROM) then you need to show via SPF that SERVER1.YELLOWHEAD.COM is
allowed to send mail on behalf of the HELO it uses (Point 2) so we have;
(SERVER1.YELLOWHEAD.COM) v=spf1 a:SERVER1.YELLOWHEAD.COM/0 -all
in other words any mail purporting to come from the domain
SERVER1.YELLOWHEAD.COM must come from the single ip address that was
resolved from the dns A record for SERVER1.YELLOWHEAD.COM. (again check the
/CIDR). If mail comes from any other ip address then it gets a FAIL result
because we know that it will only ever come this server.
****************** REPLY SEPARATER *******************
Unfortunately, it's not quite that simple. There is already a TXT record
for the real mail server (xxxx.yellowhead.com), and you cannot have more
than 1 SPF record for the same domain (yellowhead.com). As per the
instructions of our filtering service, our MX server (same as sending
server) is not advertised (ie. there is no MX record for the real server
either), thereby forcing all incoming mail to be routed through the
filtering service. And I am not messing with this because IT WORKS!
For a spammer who manages to find the real server, I have an internal
dynamic Black List Server that makes short work of them. So far, the only
ones to get through are a few Virus programs that guess the name of the MX
server rather than use the normal DNS process, and fortunately they also
guess the UserID names which usually don't exist.
As long as the receiver only checks the sending IP against the "A" record
IP for the FQDN supplied with HELO, it will match. The HELO FQDN itself is
useless information, and will not match the MAIL FROM: domain name in most
cases.
J.A. Coutts