Stuart D. Gathman wrote on Tuesday, January 02, 2007 12:25 PM -0600:
In fact, even without an SPF record, if the HELO resolves to the
connect IP, you can be certain that the connect IP was authorized
to use that HELO by the DNS admin for the HELO domain. Reverse
DNS doesn't add anything.
It indicates control over the IP. Domains can be throwaway, but IP's
are not. If someone owns a zombie at a given IP address, they can then
publish SPF for their throwaway domain designating the zombie's IP.
Depending on the registrar, you only need a day or so for the DNS
information to propagate. Unless you reject for a dynamic IP, this
tactic is hard to beat. If you do accept connections from dynamic IP's,
the only clue is that the domain has no reputation. You could rate
limit them until they develop a positive reputation, though the cost of
throwaway domains is low enough that it may still be worthwhile.
For what it's worth, DKIM and similar are subject to the same attack,
and it doesn't even require them to know the IP when they publish the
DNS information. Unfortunately, people may believe a positive DKIM
result more than SPF because it uses strong cryptography. However, SPF
pass combined with rDNS match is actually stronger assurance of the
originating domain than DKIM.
In fact, good emails admins may not be able to create rDNS records
due to no competent ISPs being available in their area.
This is the valid argument for not being too strict on existence of
matching rDNS records. However, if there is matching rDNS, you know
that the domain controls the IP in addition to the domain name.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735