----- Original Message -----
From: "Chris Haynes" <chris(_at_)harvington(_dot_)org(_dot_)uk>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, December 13, 2004 2:28 PM
Subject: Re: [spf-discuss] Re: SPF HELO checking
The message had been properly rejected because of use of an unauthorised
IP
address, but I also noticed it had...
Received: from [212.159.107.246] (helo=[192.168.0.4])
I would have expected the message to have been failed for this address
discrepency alone, before even consulting the SPF record. Am I too
strict?
Chris Haynes
By strict SMTP compliancy, it is would be a valid check. A client that uses
a domain literal *MUST* use the same connection IP address. However, I
believe some internet cops will tell you otherwise.
The heart and soul of our anti-spam solution is 100^% based on applying a
STRICT SMTP compliancy. I don't believe you can sole the abuse problem
without applying strict compliancy.
We have this domain literal check rule as well and I can share with you that
it works great! We have it by default to perform for domain literal check
for nearly 2 years now.
In this total time, there have been at best 5 to 10 at most valid scenarios
(support complaints) where because of a router, NAT or just a poor setup
that the SMTP client software will use the wrong domain literal. Once they
knew about it, it was no longer an issue. Some older software setups
needed to get updates, like TRANSX, which is an email based file
distribution system. One sysop said he had a Outlook Express MAC user who
indicated they had a problem with the domain literal check. So he had to
turn it off.
In addition, there will be a few Bulk/Batch spammers who will ignore the
HELO rejection and just continue to try again, again, again, again, again
and again, etc, until the transaction is satisfy. I just had this happen
last week, where our connection rates skyrocketed from an average of 9K to
12, 25, and 50K connections per day, all with the SAME moronic sender
failing with a domain literal check and just kept trying over and over
again.
This went away as soon as I turned it off and let him in. The transaction
was rejected either at MAIL FROM or RCPT TO and it was enough to satisfy the
unattended sender queue.
See our December stats and the 3 days last week where it skyrocketed:
http://www.winserver.com/public/antispam
It was just one stupid spammer! It went back to normal when I turned it
off. I still have it off to accumulate some stats with the domain literal
check off.
Just remember this. Spammers will not complain. If a strict SMTP rule is
applied, legit systems will report the issue to you. Spammers will not
complain which shows that it works BETTER than most people may think
otherwise.
Sincerely,
Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office