Right,
I understand what you mean matching atleast 2 levels to domains (TLD match
level equal 2 atleast).
But I am specifically talking about where the client literally issues:
HELO/EHLO domain.com
MAIL FROM: user @ domain.com
and
MFROM.DOMAIN == HELO.DOMAIN
It is a clear cut voilation if SPF(MFROM) returns anything but a FAIL or
PASS because the client is stating it is inside the secured autorized
sending network.
A I said, it was an exploration, for the last 72 hours, and thus far there
were quite a few transaciton where the SPF(MFROM) was NEUTRAL, some SOFTFAIL
and the HELO domains matches MFROM.
Make sense? To me, that is a pretty clear cut. No ambiguity.
To answer frank,
The point here was to avoid a HELO lookup if not necessary by doing some
domain helo/mfrom matching first. I don't understand why SOFTFAIL could not
be considered in this logic Frank? I don't understand your point here.
Comments?
---
Hector
----- Original Message -----
From: "Scott Kitterman" <spf2(_at_)kitterman(_dot_)com>
On 02/25/2006 14:14, Hector Santos wrote:
I have been exploring this rule in our SPF implementation with great
success:
result = SPF(MFROM.DOMAIN)
if result in [NEUTRAL, SOFTFAIL] then
if HELO.DOMAIN = MFROM.DOMAIN and
result = FAIL
In other words, if the MACHINE and the SENDER is the same domain, then
there is no reason for a NEUTRAL or SOFTFAIL in the SPF(MFROM.DOMAIN)
result.
Any comments about this?
Generally speaking I wouldn't expect this to come up since HELO.DOMAIN is
supposed to be machine specific. This might work for domains (like
Hotmail,
last time I checked) that incorrectly use the same HELO.DOMAIN for all
their
servers.
More broadly, I think what you are after is not if HELO.DOMAIN =
MFROM.DOMAIN,
but if HELO.DOMAIN is contained in MFROM.DOMAIN, e.g. HELO.DOMAIN =
relay.example.com and MFROM.DOMAIN = example.com. That's a more complex
consideration, but one that's likely to be more commonly relevant.
I'd imagine that it's worth exploring and getting some statistics on.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com