spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF basics commentary

2007-01-29 09:50:56
from [Don Lee] [Permanent Link] 
On Sun, 28 Jan 2007, Devin Ganger wrote:


On 1/28/07 8:35 PM, <stuart(_at_)bmsi(_dot_)com> wrote:


On Sun, 28 Jan 2007, Don Lee wrote:



There is a large and growing number of mailservers "out there" that
try to resolve the HELO name, and some do rDNS on the IP and
ensure that it matches the HELO.



All PTR records provide is a name - that you have to verify by checking
that it resolves to the IP.  Well, guess what, a HELO name is a ... name 
...
that you can verify by checking that it resolves to the IP - clearly
establishing that the domain owner designated that IP.  So why
did you bother fetching the PTR records again?


Because by checking that A and PTR agree, I am confirming that the domain
that the machine claims to be is in fact authorized to be using that IP
address (barring institutional stupidity from ISPs who don't allow customers
to update rDNS information on a timely basis).


Yes, but checking that the name provided by HELO agrees *already* checks 
that.  Fetching PTR doesn't add anything.

Quick example to make sure you understand:

Connect from 1.2.3.4
HELO mail.example.com

Lookup A record:

mail.example.com       IN A 1.2.3.4

That name and A record are the as you would get by first looking up:

4.3.2.1.in-addr.arpa   IN PTR mail.example.com.

There is no need to lookup the PTR, because HELO has already provided it.
Bogus names can be provided in PTR just as easily as in HELO.  Verifying
the A record validates either one.  

Just think of HELO as a extra PTR that comes for free with an SMTP connection.


The difference is that the rDNS is normally less under the control of
the spammer.  The HELO is arbitrary, and under the control of the MTA.
rDNS control requires more effort on the part of the spammer, and
will not be easy somewhere like x.y.rr.com or p.d.q.verizon.com.

rDNS can therefore be used to detect certain kinds of forgery that
resolving the HELO cannot.

For instance, It is easy for me to set up spamdomain.com -> 1.2.3.4, and
set up SPF so that 1.2.3.4 is OK to send mail.  However, if
rr.com "owns" 1.2.3.4, they may not let me change the
rDNS to "spamdomain.com" - esp. if it's a "pool" IP.

-dgl-

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [spf-discuss] SPF basics commentary, william(at)elan.net
Next by Date:  Re: [spf-discuss] Re: How does one distinguish between authorizing MAIL FROM and HELO, Don Lee
Previous by Thread:  Re: [spf-discuss] SPF basics commentary, Stuart D. Gathman
Next by Thread:  Re: [spf-discuss] SPF basics commentary, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]