spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: HELO versus MAILFROM results

2005-05-04 06:23:09
from [Radu Hociung] [Permanent Link] 
Mark Shewmaker wrote:

From section 2.1 of 
http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-01pre5.html :

| It is RECOMMENDED that SPF clients check not only the "MAIL FROM"
| identity, but also the "HELO" identity
[...]
| If the HELO test is performed, and results in a "Fail",
| the overall result for the SMTP session is "Fail",
| and there is no need to test the "MAIL FROM" identity.


I would suggest that checking HELO with SPF is misguided at best.

The HELO name is not required by any RFC to be a domain name.
localhost.localdomain is a perfectly legal HELO name. So are many others
that are not domain names, and thus the results of a DNS loookup on them
would be *undefined*

Continuing to advocate the use of HELO as a domain name only undermines
the credibility of SPF.

On the other hand, you may store the HELO name, and/or do any other
heuristic checking on it's contents. (does it look 'funny', does it look
'reasonable', etc).

While using HELO for SPF may work 99% of the time currently, the fact
that it works incorrectly 1% of the time means it's an unreliable method
100% of the time.

I don't know if the 99% statistic is accurate, but think of the better
content-based spam filters. They are 99.999% efective. Brightmail claims
1 in a million false positive (that is 99.9999%, or 10,000x more
reliable than an SPF check that uses HELO).

The fact tht SPF cannot be provably reliable by definition means it can
never be used to realiably establish reputation of a domain.

Yes, I know there is also the forwarding problem that adds
unreliability, but at least there are some documented solutions to that
problem. If in time they become the norm, then SPF becomes reliable.

The solution for the HELO check to become reliable would be for RFC2821
to be amended to *REQUIRE* valid, DNS available lookup names to be used
for the HELO exchange.

Regards,
Radu.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: HELO versus MAILFROM results, Marc Chametzky
Next by Date:  Re: How useful are per-user policies?, Radu Hociung
Previous by Thread:  Re: HELO versus MAILFROM results, Marc Chametzky
Next by Thread:  Re: HELO versus MAILFROM results, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]