On Wed, 4 May 2005, Radu Hociung wrote:
Remember, all it takes for the HELO check to stop working is that the
next version of the spam/phish engines use a different string value for
their HELO. A 2 line change in the source of spamware, plus 1 year to
allow for market penetration of the new version is enough to render this
HELO check useless. In fact, as you mentioned, much spamware already
uses IP literals, so we are half-way there already.
I simply reject all mail with an ip literal for HELO. I did this a long
time ago, long before SPF, and have never had a false positive - even
with many very clueless 3rd world admins sending my customers email.
Clueless but otherwise legitimate mail admins put (illegal) things like
'JUPITER' in their HELO, not an ip literal. Only spammers put ip literals.
Having a proper and verified (resolves to sending IP) FQDN for HELO is an
acceptable form of authentication. It ties the sending SMTP client to a
specific domain.
As an SPF publisher, I don't want just any host in our domain sending mail.
I enforce this with a gateway firewall, but expressing the policy in SPF
is also good.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.