spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: How does one distinguish between authorizing MAIL FROM and HELO

2007-01-28 13:12:23
On Sunday 28 January 2007 14:42, John A. Martin wrote:
"Scott" == Scott Kitterman
"Re: How does one distinguish between authorizing MAIL FROM and HELO"
 Sun, 28 Jan 2007 10:48:27 -0500

    Scott> On Sunday 28 January 2007 09:05, John A. Martin wrote:
    >> Given that the only authorized MAIL FROM will be
    >> local(_at_)example(_dot_)com and that the only authorized HELO will be
    >> host1.example.com how is it recommended to signify that using
    >> SPF while also indicating using SPF that MAIL
    >> FROM:<local(_at_)host1(_dot_)example(_dot_)com> is NOT authorized and 
that 'HELO
    >> example.com' is NOT authorized?  The only pertinent RRs for
    >> these domains are as follows:
    >>
    >>         example.com.               MX   10 host1.example.com.
    >>         (no A RR for example.com)
    >>         host1.example.com.         MX   10 host1.example.com.
    >>         host1.example.com.         A    192.168.0.1
    >>         1.0.168.192.in-addr.arpa.  PTR  host1.example.com.

    Scott> SPF as defined by RFC4408 does not distinguish between
    Scott> those, but if you control host1.example.com you control
    Scott> what it uses for HELO and what it allows for Mail From, so
    Scott> in reality I think this isn't an issue.  People have
    Scott> theorized problems from this limitation, but AFAIK in real
    Scott> life it doesn't comeup.

Well, I reject a lot of incoming messages with MAIL
FROM:<whatnot(_at_)host1(_dot_)example(_dot_)com> or 'HELO example.com' 
before applying
SPF and after SPF header checks see a boatload of messages with HELO
example.com in the trace of the message and more than just a few in
body checks that are designed to find these in mail headers enclosed
in message bodies.  I consider all of those caught by restrictions
after SPF to be backscatter.  I use:

        example.com.        TXT "v=spf1 ip4:192.168.0.1 -all"
        host1.example.com.  TXT "v=spf1 ip4:192.168.0.1 -all"

which will not alone reject messages spoofing either of those HELO
identities.  Judging from the backscatter, that spoofing does happen
regularly.

    Scott> If you care to discuss this further, I'd suggest
    Scott> spf-discuss and spf-help is intended for helping with SPF
    Scott> as it is and not designing improvements to it.

Right, but first I wanted to see that I was not missing something.

I guess I don't understand why you say "which will not alone reject messages 
spoofing either of those HELO identities"?  If it doesn't come from 
192.168.0.1 (in your example) reject it and be done with it.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735