On Fri, Jul 21, 2006 at 12:26:49PM -0400, Stuart D. Gathman wrote:
I don't like it. Compliing with #1 and #2 is too easy for a spammer, and
they're only exposing their IP/hostname which I don't want to blacklist (the
paragraph above should explain why). OTOH, if they're forced to expose
their
domain name, I'll be glad to blacklist that.
#1 doesn't just require a PTR, but a PTR name that is not dynamic according
to my heuristic algorithm. Spammers *could* comply, but zombie based spam
generally doesn't. If I could (see below), I would eliminate this
method of authentication. I don't blame you for not liking it.
<rant>I hate MTAs that reject based solely on lack of a PTR. It is
impossible for many small subscribers to get their incompetent ISP
monopoly to publish a valid PTR. PTR is a stupid means of authentication.
</rant>
"incompetent ISP monopoly" ....uhm, where I seen this before? :-)
#2 *does* expose a domain name. A spammer must own the domain to provide a
valid HELO that is different from the PTR (and I require it to resolve to the
sender IP). HELOs that are the same as a dynamic looking PTR are not
accepted.
Ah. Sounds good to me then. But I find best-guess rejection slightly better:
you get to reject phishing spam that has a valid hello (with a dummy, spammer
controlled domain), but still uses the forged address as the sender.
They expose their domain either way, but I don't care at all about their domain
being exposed when I can reject their crap before it reaches my mailbox :)
--
Robert Millan
My spam trap is honeypot(_at_)aybabtu(_dot_)com(_dot_) Note: this address is
only intended for
spam harvesters. Writing to it will get you added to my black list.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com