spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: draft-schlitt-spf-00pre4 now available

2004-11-05 05:02:15
from [Hector Santos] [Permanent Link] 

----- Original Message -----
From: "James Couzens" <jcouzens(_at_)6o4(_dot_)ca>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, November 03, 2004 7:31 AM
Subject: Re: [spf-discuss] draft-schlitt-spf-00pre4 now available


* The "HELO" identity is explicitly defined



I'm torn here.



1) Its a bit ambigious as to WHEN one should perform a HELO evaluation.


Its actually quite simple.

The key is not to violate mixed policies that SPF1 currently allows.

1) Your first rule is local domain spoof protection.  These you are very
sure of.

Client IP - some spammer
    HELO winserver.com
    MAIL FROM  some non-spf address.com

Since SPF(mail from) yields no result, you can't ignore the fact that the
helo domain
is spoofed.

In practice, the issue is doing an open-ended HELO check.   We currently
choose
(via option) to make sure the HELO local domains is checked.

The result: atleast 12-15% rejects which would be ignored by SPF1 specs.

2) The second rule is that a SPF ready Mail From Must use a FQDN domain
name.

Example:

    HELO winserver.com
    MAIL FROM  some spf address.com

If the SPF (mail from) produces some result (PASS or FAIL) then you add some
weight to the final result depending if the HELO domain is correct.

If the HELO is not correct, and the sender is violating SPF1 specifications
where it says the HELO must be FQDN if a SPF Domain is published.

In practice,  you would be suprise how much this rule is highly reliable.

This will be especially the case if a sender is SUBMITTER ready and issues
an SUBMITTER modifier.  If the HELO domain is not correct, this would be an
instant reject in my book.


This way, its easy to start doing HELO checks, but ignorant hosts won't
suffer.  If I am having to implement SPF, and I have a choice to perform
HELO, its not an easy one with much flexibility.  Written the way I have
it, it might be more palatable.


Go ahead an implement it.  I'm sure you will find out very quickly what I've
learn over a year ago. :-)

Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: web page on sender ID, Koen Martens
Next by Date:  RE: A Cautionary Tale concerning AOL, Brian Barrios
Previous by Thread:  Re: draft-schlitt-spf-00pre4 now available, Frank Ellermann
Next by Thread:  Re: draft-schlitt-spf-00pre4 now available, wayne
Indexes:  [Date] [Thread] [Top] [All Lists]