spf-discuss
[Top] [All Lists]

RE: [spf-discuss] Newcomer question - email admin perspective

2007-01-04 15:17:01
Stuart D. Gathman Wrote on Tuesday, January 02, 2007 4:34 PM -0600:

The problem is that the admin of an MTA does *not* have control over
the IP, the ISP does.  Unless you are a huge enterprise with a class
C or bigger IP range.

That's not exactly true.  It means either you own a class C with the
zone delegated to _or_ you have a competent ISP who will set rDNS
records for your smaller number of IP's.  I understand that not
everybody has a competent ISP, and that's why you may lose some
legitimate mail if you reject on no matching rDNS.


I have yet to meet a zombie with a valid HELO.  The problem is that
you would need to provide an A record for every zombie in the field.
That, among other things, makes your list of zombies public.
You are probably thinking of SPF, where the spammer can publish
something like "v=spf1 +all", but somewhat obfuscated.  I am talking
about plain old RFC2822 HELO, where the HELO name resolves to the
connect IP.

Zombies may not forge reasonable HELO names _today_, but there's no
reason that can't.  They often set the HELO name to the recipient
domain, so they obviously can set it to whatever they want.

Publishing an A record that includes a bunch of fresh zombie IP's is
easy.  The fact that they make zombie IP's public by doing so is of no
consequence, since these IP's become public when they start spewing just
a few minutes later.  It will only be a short time until they are listed
on public DNSBL's, and that's apparently enough of window to make the
zombies useful.


So, I repeat my assertion.  Checking rDNS does not help prevent
zombies or spammers.

Checking HELO does.

I don't agree.  While HELO is a good spam indicator today, there's no
reason for it to remain that way.  If rDNS matches, you know that the
domain has paid for an IP that will quickly become useless if they spam.
The fact that DNSBL's have been successful and that spammers now favor
zombies is an indication that it will make their lives much more
difficult.


Checking rDNS, furthermore, discriminates against small companies
who do not own a class C IP range, and no competent ISP is available
other than via dialup (too slow) and T1 (too expensive).

This is a real concern, and it's the reason why you shouldn't reject for
lack of rDNS match, unless you are prepared to deal with complaints.  It
doesn't change the fact that the existence matching rDNS gives you very
good indication that it is _not_ a spammer.  Lack of matching rDNS with
no domain reputation doesn't mean that it _is_ a spammer, only that you
may wish to severely rate limit them until they develop a reputation.

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735

<Prev in Thread] Current Thread [Next in Thread>