spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: SPF adoption statistics

2005-11-21 19:01:40
from [Hector Santos] [Permanent Link] 

----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
Newsgroups: spf.-.sender.policy.framework.discussion
Subject: RE: [spf-discuss] Re: SPF adoption statistics



On Mon, 21 Nov 2005,  wrote:


Stuart D. Gathman wrote:

This would be after the vast majority have been rejected due to
obviously forged HELO.  Is that still useful?


Rejecting on HELO is RFC-questionable.


When it says "HELO bmsi.com", and it ain't one of my bmsi.com servers,
I'm going to reject it.


If you view this as a LIGHT-WEIGHT LMAP (IP::DOMAIN) association, then I
agree.

SPF works excellent at protecting local domains.

We have this in our rules table:

Reason HELO/EHLO mismatch
Reject if .santronics.com  in .%CDN% and %CIP% != 208.247.131.9
Reject if .winserver.com   in .%CDN% and %CIP% != 208.247.131.9
Reject if .isdg.net        in .%CDN% and %CIP% != 208.247.131.9
Reject if .catinthebox.net in .%CDN% and %CIP% != 208.247.131.9

A simple LMAP rule :-)


No matter what cockamany RFC ignorant
(must be a resolvable FQDN - I believe it must resolve to client, but
others disagree) HELO they came up with, they certainly aren't allowed
to use "bmsi.com".  Ditto for any other domains I manage.


Right, it works 100% to control local domains with 100% trust.

The problem is when trying to apply this to remote domains where you don't
know about any legacy issue they may have.

Also, I do is a basic syntax checker (not part of SPF logic but part of our
total AVS suite/package)

  - Illegal Domain Literal --> REJECT
  - Domain Literal/IP Mismismatch ---> REJECT

So if the client say:

    HELO 1.2.3.4     --> REJECT

or it says:

    HELO [1.2.3.4]

The IP BETTER match 1.2.3.4  Thats in the RFC!!

We only had 1-2 false positives with this and each time, it was fixed by the
(good) sender software he was using. One was patched and other was a setup
option.  Bad senders don't complain. :-)


Furthermore, if the HELO domain has an SPF record and gets anything
other than PASS, I reject it.  There is no reason to accept an SPF

"neutral"

for HELO.


Exactly!  Good logical thinking!! <g>

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com



-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: SPF adoption statistics, Alex van den Bogaerdt
Next by Date:  Re: [spf-discuss] Re: SPF adoption statistics, Hector Santos
Previous by Thread:  RE: [spf-discuss] Re: SPF adoption statistics, Stuart D. Gathman
Next by Thread:  RE: [spf-discuss] Re: SPF adoption statistics, Dick St.Peters
Indexes:  [Date] [Thread] [Top] [All Lists]