Re: Re: SPF HELO checking


----- Original Message -----
From: "Frank Ellermann" <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, December 13, 2004 2:27 PM
Subject: [spf-discuss] Re: SPF HELO checking

If you see HELO hotmail.com it's difficult, they use ~all, so
it would be again your decision to insist on PASS for an SPF
HELO check.  I've proposed an op=helo option for this purpose.


Frank,

The problem I have with "SYSOP" defined policies is the level of trust you
put into it.

If the system says OP=HELO?   what does that mean for the system that does
NOT?

Why should I (receiver) be restricted to applying the rule to those who have
this in their SPF record versus those who do not?

If it becomes a good "thing"  why would SPAMMER use it or avoid it?

Understand?

In other words, how a system performs a validation is defined at the server
side (the receiver), not the sender.

The sender simply to provide logical information that can help the server do
its job. It has to be information that isn't obvious exploitable data
because it will be ignored.

When you begin to add validation rules into a exposed policy, it will need
to be coupled with some sort of authentication concept.  This is what CSV
attempts to do.

But as I pointed out to Doug/Dave,  this authentication still needs to be
trusted by the server-side.  In other words, the SERVER will have to have a
list of "authentication" agents that HE trust.  Not who the sender says he
uses.

The SMTP state machine is pretty straight forward.  A good computer
scientist can sit down and write down all the theoretical functional
specification.  The engineer will look at these at see how they are
currently fit into the real world, the relaxation of the theory.  I believe
we approach a final solution with something in-between theory and practice.

What has surprise me the most in their year long IETF related discussion
areas,  that no key person in the IETF-SMTP camp (not event the author of
RFC 2821) has participated in trying to help solve this issue.  They left it
to the OUTSIDE world.  Go figure. :-)   I did ask John why and was very
disappointed to hear his reasons.

Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SPF HELO checking, (continued) Re: SPF HELO checking, David Re: SPF HELO checking, Greg Connor Re: SPF HELO checking, David Re: SPF HELO checking, william(at)elan.net Re: SPF HELO checking, David Re: SPF HELO checking, wayne Re: SPF HELO checking, David Re: SPF HELO checking, Frank Ellermann Re: Re: SPF HELO checking, David Re: SPF HELO checking, Frank Ellermann Re: Re: SPF HELO checking, Hector Santos <= Re: SPF HELO checking, Frank Ellermann Re: Re: SPF HELO checking, Hector Santos Re: Re: SPF HELO checking, Alex van den Bogaerdt Re: Re: SPF HELO checking, Chris Haynes Re: SPF HELO checking, Frank Ellermann Re: Re: SPF HELO checking, Alex van den Bogaerdt Re: SPF HELO checking, Frank Ellermann Re: Re: SPF HELO checking, Hector Santos Re: Re: SPF HELO checking, David Re: SPF HELO checking, wayne