On Tue, Sep 06, 2005 at 04:00:09PM -0400, Terry Fielder wrote:
paddy wrote:
On Tue, Sep 06, 2005 at 01:34:46PM -0500, Seth Goodman wrote:
That's exactly what I'm suggesting. What is the point of a requirement
for
an SMTP client to give its FQDN to an SMTP server while forbidding the
server from rejecting the connection when the FQDN and IP do not match?
While you could provide a partial fix for this by listing _all_ the FQDN's
for the machine under _every_ IP in the reverse DNS zone, that does not
reliably solve the problem. Anyone with control over their rDNS zone
could
list your hostname under their IP and masquerade as your domain. That's
why
some systems ignore the RFC's and REQUIRE forward and reverse DNS to
match.
Saying that SPF can resolve this problem easily is besides the point.
RFC2821 was not written with SPF in mind to close the holes.
I repeat the question concerning 2821: why REQUIRE SMTP clients to give a
valid FQDN (ignoring address literals, for the moment) and then say SMTP
servers MUST NOT deny connections when the A record doesn't match? That's
like passing a law with two provisions: 1) forgery is illegal and 2) no
governmental entity may prosecute anyone for forgery. Unless I am missing
something, the two provisions appear contradictory and make it essentially
useless. Legitimate mailers will give you their correct FQDN, spammers
will
not, and you MUST accept both. Why bother checking if you can't reject?
Seth,
I have been asking myself similar questions. I came across this:
http://article.gmane.org/gmane.ietf.mxcomp/2707/match=apnic
which may be of some interest.
Regards,
Paddy
Um, reverse lookups are cachable, correct?
AFAIK.
not sure how much that buys you in the spam from random zombies case.
And are there any major MTA's that don't already do a reverse lookup for
logging purposes (sendmail and postfix do, I don't have any Exchange
servers so cannot test that one).
good question.
So if the majority of major MTA's already do a reverse lookup for
logging purposes how is the load likely to increase drastically with the
deployment of a new module (e.g. SPF) that checks for the reverse?
good question.
Am I missing something (or just uninformed :)?
I really don't know, I'm just sharing what I hope is an interesting find.
I'd be interested to hear the answers, if you find out :)
Regards,
Paddy
--
Perl 6 will give you the big knob. -- Larry Wall
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com