Re: SPF HELO checking


----- Original Message -----
From: "Alex van den Bogaerdt" <alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, December 13, 2004 5:35 PM
Subject: Re: [spf-discuss] SPF HELO checking


RFC2821 allows rejection for various reasons.  The only thing it
specifically forbids is you MUST NOT reject purely on the fact that
ptr(connecting ip address) != HELO.


Correct and since day 1, the day I found the IETF (ASRG) and decided to
blend in to participate in the process, I did so, already knowing that we
had to change SMTP functional specifications.  I recall the excitement of
seeing a News Rag saying "The Industry acknowledges SMTP has to change" and
with that I joined the ASRG.

Of course, I was very quickly disappointed to see there were no real effort
to address the real problem and there were more self interest political
bullshit going on.

The problem will not go away or said another way, we will always be plaque
with complexed and convoluted fuzzy rules and situations until the SMTP
specifications are rewritten so that software developers can begin to add
more muscle into their implementations.

But with the current old archaic,  relaxed provisions in SMTP specification,
the system will continue to be abused.

The way I see it, the SPAMMERS will not have any incentive to ADAPT (which
is what we want to do) if there know there will always be systems outside
that can be exploited with weak specifications.

Once the industry begins to apply a stronger compliancy, there SPAMMER will
have no choice to adapt and this is where we can begin to make them ADAPT in
our direction we want them to - one where there is more compliancy and
traceability.   Spammers who do not adapt will eventually die.

Anyway, this is part of the MIX POLICY issue I keep talking about.  It is
ILLOGICAL to attempt to do a SPF check on MAIL FROM if the HELO and IP do
not match.   Why bother with the overhead?

See my LMAP Validation analysis that illustrates these points:

http://www.winserver.com/public/antispam/lmap/draft-lmapanalysis1-2.htm

A system that implements the ideas in this paper will have a very highly
optimized anti-spoofing system based on a strict compliancy, yet backward
compatible SMTP network. :-)


Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SPF HELO checking, (continued) Re: SPF HELO checking, David RE: SPF HELO checking, Brian Barrios Re: SPF HELO checking, David Re: SPF HELO checking, Alex van den Bogaerdt Re: SPF HELO checking, David Re: SPF HELO checking, Alex van den Bogaerdt Re: SPF HELO checking, Alex van den Bogaerdt Re: SPF HELO checking, David Re: SPF HELO checking, Stuart D. Gathman Re: SPF HELO checking, Greg Connor Re: SPF HELO checking, Hector Santos <= Re: SPF HELO checking, Alex van den Bogaerdt Re: SPF HELO checking, David Re: SPF HELO checking, Alex van den Bogaerdt Re: SPF HELO checking, David Message not available Re: SPF HELO checking, David Re: SPF HELO checking, wayne RE: SPF HELO checking, Brian Barrios Re: SPF HELO checking, David Re: SPF HELO checking, David RE: SPF HELO checking, Scott Kitterman