Hi,
Thanks for your reply.
Stuart D. Gathman elucidated on 14/11/06 04:03:
On Tue, 14 Nov 2006, Jon Grant wrote:
I think I follow your point. I'd agree with doing a Reject 55x or so if
the HELO does not match the reverse DNS of the domain
No, the HELO *name* doesn't need to match any of the names in rDNS.
Instead, the HELO name resolves to a list of IP *addresses* - one of which
should match the connect IP.
Okay, got you this time. This does sound better than just wanting the
IP to have a rDNS.
Someone pointed out that many people think rfc2821 allows a multihomed MTA
to have a mismatching HELO provided it matches one of its other
IPs (which you don't know). This goes against the spirit of HELO
in my opinion, and it is always possible to list all applicable IPs
for the HELO name, so there is no excuse for not doing it right.
Yes, it says the HELO name must "belong to the MTA". Clearly, they
meant "belongs to the interface of the MTA that you see". Belonging to some
other unknown network interface is useless.
But the point is moot since a large portion of MTAs have garbage
for HELO name (e.g. "JUPITER"), so rejecting solely on bad HELO
is impractical.
That's a shame. Do you think if some ISPs or gmail.com started doing
Reject 55x for bad HELO there would be a shift overall?
I'm not sure if any individual took the step big ISPs would change their
policy. Holland & Barett, the UK health food blacklisted
smtp.tiscali.co.uk because they use SORBS. SORBS would not remove the
block and H&B would not stop their use of SORBS. Maybe a change just
wasn't meant to be...!
I emailed someone who was blocking the whole of the .uk domain because
the UK registrar once. Nominet was not able to remove domains of spamming
machines (and the guy thought they should have been able to remove them),
(if I remember that situation correctly.)
ATM with SPF checking, it just compares the IP to the SPF right? It
could check the HELO matches as well..
SPF also checks HELO (optionally except for DSNs). If the HELO name has
an SPF record, then that resolves any ambiguities left open by rfc2821.
If a HELO name fails SPF, then you should certainly reject the connection.
That sounds great.
I believe you should reject a connection if HELO SPF gets anything other
than PASS. There is no forwarding, roaming users, or other things
to debug. There is just that one MTA - it has no excuse to do anything
but pass. Note that even vast farms of MTAs for huge mail providers
can give each IP used by outgoing MTAs a name to be used for HELO.
A single MTA with multiple IPs that can't tell which IP is it currently
using (perhaps because of external loadsharing of some sort) can use a name
with multiple A RRs.
However, people do manage to shoot themselves in the foot.
Our leg work should hopefully make spamming less economically viable at
least.
Jon
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735