Hi Stuart,
Stuart D. Gathman elucidated on 14/11/06 02:40:
On Tue, 14 Nov 2006, Jon Grant wrote:
have no way to force the ISP to publish or delegate a proper PTR. Domain
owners can always use a proper HELO name, and this is clear and sufficient
proof that the MTA is managed by the domain owner.
can't a spammer just put mail.gmail.com in the HELO field though then?
Maybe I didn't understand your message. I do see the problem for people
who cant setup reverse DNS. I do think the IP should have something
though, even if it is dsl-1-2-3-5.host.com
Sure, but the spammer doesn't control the DNS for mail.gmail.com, so the
IP address(es) will not match the zombie sending the spam. If the
HELO name resolves to the connect IP, then this is a positive confirmation
of the identity of the sending MTA. Ideally, everyone should reject
mail that doesn't have a HELO like this (RFC also allow numeric HELO
like HELO [1.2.3.4]), but too many MTAs have clueless admins that put
garbage for HELO name.
I think I follow your point. I'd agree with doing a Reject 55x or so if
the HELO does not match the reverse DNS of the domain
ATM with SPF checking, it just compares the IP to the SPF right? It
could check the HELO matches as well..
kind regards
Jon
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735