----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
Newsgroups: spf.-.sender.policy.framework.discussion
Subject: RE: [spf-discuss] Re: SPF adoption statistics
On Mon, 21 Nov 2005, wrote:
Stuart D. Gathman wrote:
This would be after the vast majority have been rejected due to
obviously forged HELO. Is that still useful?
Rejecting on HELO is RFC-questionable.
When it says "HELO bmsi.com", and it ain't one of my bmsi.com servers,
I'm going to reject it.
If you view this as a LIGHT-WEIGHT LMAP (IP::DOMAIN) association, then I
agree.
SPF works excellent at protecting local domains.
We have this in our rules table:
Reason HELO/EHLO mismatch
Reject if .santronics.com in .%CDN% and %CIP% != 208.247.131.9
Reject if .winserver.com in .%CDN% and %CIP% != 208.247.131.9
Reject if .isdg.net in .%CDN% and %CIP% != 208.247.131.9
Reject if .catinthebox.net in .%CDN% and %CIP% != 208.247.131.9
A simple LMAP rule :-)
No matter what cockamany RFC ignorant
(must be a resolvable FQDN - I believe it must resolve to client, but
others disagree) HELO they came up with, they certainly aren't allowed
to use "bmsi.com". Ditto for any other domains I manage.
Right, it works 100% to control local domains with 100% trust.
The problem is when trying to apply this to remote domains where you don't
know about any legacy issue they may have.
Also, I do is a basic syntax checker (not part of SPF logic but part of our
total AVS suite/package)
- Illegal Domain Literal --> REJECT
- Domain Literal/IP Mismismatch ---> REJECT
So if the client say:
HELO 1.2.3.4 --> REJECT
or it says:
HELO [1.2.3.4]
The IP BETTER match 1.2.3.4 Thats in the RFC!!
We only had 1-2 false positives with this and each time, it was fixed by the
(good) sender software he was using. One was patched and other was a setup
option. Bad senders don't complain. :-)
Furthermore, if the HELO domain has an SPF record and gets anything
other than PASS, I reject it. There is no reason to accept an SPF
"neutral"
for HELO.
Exactly! Good logical thinking!! <g>
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com