spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Rejecting "Best-Guess" failures

2006-07-21 09:27:56
from [Stuart D. Gathman] [Permanent Link] 
On Thu, 20 Jul 2006, Robert Millan wrote:


If mean that he tests an inbound message for three things:

1.  Does the client IP have a reverse DNS PTR record?
2.  Does it use a legit (FQDN) HELO name?
3.  Does the mail from of the message Pass SPF?

Any one of those is enough to save the message from outright rejection.  


I don't like it.  Compliing with #1 and #2 is too easy for a spammer, and
they're only exposing their IP/hostname which I don't want to blacklist (the
paragraph above should explain why).  OTOH, if they're forced to expose their
domain name, I'll be glad to blacklist that.


#1 doesn't just require a PTR, but a PTR name that is not dynamic according
to my heuristic algorithm.  Spammers *could* comply, but zombie based spam
generally doesn't.  If I could (see below), I would eliminate this 
method of authentication.  I don't blame you for not liking it.

 <rant>I hate MTAs that reject based solely on lack of a PTR.  It is
 impossible for many small subscribers to get their incompetent ISP
 monopoly to publish a valid PTR.  PTR is a stupid means of authentication.
 </rant>

#2 *does* expose a domain name.  A spammer must own the domain to provide a
valid HELO that is different from the PTR (and I require it to resolve to the
sender IP).  HELOs that are the same as a dynamic looking PTR are not
accepted.

My customers have to receive mail from some rather incompetent (email wise)
senders.  An important tool for dealing with that is local SPF.  If there
is no official SPF record for a domain, it looks under a local domain
(_spf.example.com) for a local record that I provide for them.  This lets me
provide a local policy based on an SPF like lookup.  E.g.

$ORIGIN _spf.example.com
clueless.com         IN TXT  "v=spf1 mx a:mail.someserver.com ?all"

The result should not go in a Received-SPF header, of course, because
it is not official, and the sending network of clueless.com could change
without notice.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Rejecting "Best-Guess" failures, Robert Millan
Next by Date:  [spf-discuss] Forged From and No-SPF Return-Path with postfix spf.pl, Robin Rowe
Previous by Thread:  Re: [spf-discuss] Rejecting "Best-Guess" failures, Robert Millan
Next by Thread:  Re: [spf-discuss] Rejecting "Best-Guess" failures, Robert Millan
Indexes:  [Date] [Thread] [Top] [All Lists]