-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Radu Hociung wrote:
However, I still think there is no point checking the HELO.
All a spammer has to do is find a host name, *any host name* without a
TXT record, and use that in the HELO.
This SPF check is so easy to bypass, it's not funny.
Define "bypass an SPF check".
You are missing the point of SPF, which is NOT to _enforce_ the use of a
specific identity to be used in HELO (or MAIL FROM, for that matter) for a
given IP address), NOR to magically detect spam, BUT to _prevent_ the use
of a specific identity in HELO (or MAIL FROM) for a given IP address.
If I can prevent spammers, viruses, and fraudsters from using
"mail.mehnle.net" as the HELO identity and
"(_dot_)(_dot_)(_dot_)(_at_)mehnle(_dot_)net" as the MAIL
FROM identity, then SPF has done its job perfectly.
As for the specific point of allowing separate HELO checks next to MAIL
FROM checks, please remember that the HELO and MAIL FROM identities are of
different types. HELO describes a host (an MTA). MAIL FROM describes a
mailbox. { HELO = "mehnle.net", MAIL FROM = "julian(_at_)mehnle(_dot_)net" }
is not
redundant information.
Based on HELO authentication, you can assign reputation to MTAs. Based on
MAIL FROM authentication, you can assign reputation to mail domains or
even mailboxes. Often the owner of the HELO MTA and the owner of the MAIL
FROM domain/mailbox are not identical, so this distinction is valuable.
White-/blacklisting a single HELO identity might affect multiple MAIL FROM
identities. White-/blacklisting a single MAIL FROM identity might affect
multiple HELO identities.
So what are you going to do?
1. Block HELO's that resolve with "PASS" ?
2. Put the HELO strings in a reputation database? Recall that for each
DNS zone file, there are an infinity of possible HELO strings, each
unique. That makes for an infinitely large and infinitely useless HELO
reputation DB.
Reputation databases can be structured hierarchically. If example.com has
a strong negative reputation, unheardof.example.com may implicitly be
assigned a slightly negative reputation as well, even if it doesn't have
any explicit reputation assigned to itself (yet).
Unfortunately there is no required relationship between the domain name
in MAIL FROM and the name in HELO.
This is absolutely correct. But why is that unfortunate? If, in general,
there were a relationship between HELO and MAIL FROM, they would, in
general, be (at least partly) redundant.
You may also be missing the point that it is, and must be, receiver policy
whether to perform only HELO or only MAIL FROM checks, or both, and how to
react to their results (in relation to each other or not).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCf/vIwL7PKlBZWjsRAm2PAKD9krXpV6y9G0idy+rG3YE/HNHWdQCcDe2x
OEzXBwgiWKbps5psKJMkDqU=
=67Np
-----END PGP SIGNATURE-----