From: Brian Barrios [mailto:brianantispam(_at_)aol(_dot_)com]
Sent: Monday, December 13, 2004 8:46 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] SPF HELO checking
d) also if you want to protect your helo using spf you will have to
do more than one workaround, in some cases you will not be able
to do it without restrictions, and in most cases you will have
to
publish more complicated spf records that will require more than
one dns lookup.
Yes, this is another concern (that of HELO protection) that was raised
over
here that I didn't mention in my original post, but is a good point.
It
seems if you want to use the SPF solution to check the HELO, you have
to
create overly complicated DNS records to ensure the receiver's query
results
in a FAIL on forged HELO string such as a.a.a.a.forged.example.com.
Without
these records in place, the receiver simply receives a "record doesn't
exist". Whereas with an A lookup, at least for the transition period
to
full acceptance, they receiver would get a FAIL.
In the meantime and as helo checks are now (but only now) useful,
why
not separate it from spf, make a simple and fast spf like variation
for them and use it until everybody has a strictly rfc
compliant helo ?
I guess that's the crux of my orginal question. With either HELO
checking
solution, we're going to have to push the internet community in one
HELO or B) Correct A records setup for their HELO strings.
So why go with the SPF option when the A record option seems easier
and
gains us just as much, protection with an faster implemention cycle?
-Brian.
Though they may provide similar results now, these two options are
actually not an either or, and they are not testing the same thing.
Option B just says that a host isn't lying about its own name. Option A
(or CSV, or MTAmark, or presumably other suggested tests) attempt to say
that a host is indeed allowed to send email. Ideally both tests would be
run in conjunction (step 1 make sure that the host is who it says it is,
step 2 make sure that it is allowed to send mail). Checking for forged
helo's means that to send mail you have to hijack a host with a valid A
record. Checking for authorized and non-forged MTA's means that you now
have to send your mail through hosts a domain expects to act as mail
servers which in the case of many domains will be a much smaller set.
This obviously does not address the technical issues with how one goes
about doing the tests, or more substantively, how a domain expresses
that a host is explicitly not authorized.
Robert
Brian Barrios
703.265.7456 / IM: BrianAntiSpam
Antispam/Postmaster Group - America Online, Inc.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-
discuss(_at_)v2(_dot_)listbox(_dot_)com