spf-discuss
[Top] [All Lists]

Re: Extreme times call for extreme measures?

2004-10-06 18:45:37

On Oct 6, 2004, at 9:31 PM, Hector Santos wrote:
Yes, this is a common thing.  In an age when most
direct-to-MX spam comes from broadband zombies, any PTR
hostname that contains its IP address is automatically
suspect.  Being a subdomain of a known broadband provider is
confirmation.

Yeah, but I would wish if they would delay the PTR check to see if the user
is roaming and is going to login with ESMTP AUTH.  If no login, then go
ahead and do whatever.

Many do this. It is quite easy to do with most OS MTAs (and commercial ones too).

Very few MTAs will use SMTP AUTH to transport mail -- you really have to customize them to do that. Traditionally, MTAs accept client initiated connections for email submission using SMTP AUTH. That is a bit silly as clients should be using the submission port anyway. All this requires is the client changing the outbound SMTP port to 587 and the ISP having a reject-unless-authed MTA running on that port. Every MTA I know of supports tha configuration.

Technically, until the SMTP specs are refined, the LOGIN check approach is more "compatible" with SMTP standards. The "immediate" reject is somewhat
against the specs.

It isn't really against the specs. However, most largish organizations soon learn that they loose too much by rejecting at connect. Of course, there are plenty of cases where it is a good idea to reject at connect, but if your postmaster account and abuse account need to be able to receive mail from "bad" net spaces you soon learn that you have to postpone those "pucker off" responses to a tad bit later in the SMTP phase -- like after rcpt to and sometimes even after data.

// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
// Ecelerity: fastest MTA on Earth