Dick St.Peters wrote on Tuesday, January 02, 2007 4:35 PM -0600:
Seth Goodman writes:
Stuart D. Gathman wrote on Tuesday, January 02, 2007 12:25 PM -0600:
In fact, even without an SPF record, if the HELO resolves to the
connect IP, you can be certain that the connect IP was authorized
to use that HELO by the DNS admin for the HELO domain. Reverse
DNS doesn't add anything.
It indicates control over the IP. Domains can be throwaway, but
IP's are not.
True enough, but control over the IP means control over what it
reverse-resolves to. You can make your IPs reverse resolve to
anything you want.
For example, there is nothing preventing me from making one of my IPs
reverse resolve to, say, mail.goodmanassociates.com. Of course, I
can't make the forward resolution match, but unless someone looking at
the reverse DNS also checks that the forward DNS matches, an imposter
can use reverse DNS to look credible.
Yes, they can set the reverse DNS to match their domain name, but the IP
will soon be useless because it will appear on public DNSBL's. I doubt
that the economics of spamming is good enough to justify buying a
static IP for each spam run. The combination of the domain designating
an IP to emit mail, matching DNS showing the domain controls the IP's
it designates and a good reputation mean that the messages are very
unlikely to be spam. Two out of three is often good enough, that is,
the combination of SPF pass and good reputation is adequate.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735