Stuart D. Gathman wrote on Monday, January 29, 2007 9:29 AM -0600:
Yes, but checking that the name provided by HELO agrees *already*
checks that. Fetching PTR doesn't add anything.
I beg to differ. See below.
Quick example to make sure you understand:
Connect from 1.2.3.4
HELO mail.example.com
Lookup A record:
mail.example.com IN A 1.2.3.4
That name and A record are the as you would get by first looking up:
4.3.2.1.in-addr.arpa IN PTR mail.example.com.
This works as long as everything is legitimate. Let's look what happens
when example.com is a spammer and wants to use a trojaned host as a spam
cannon. They trojan the host at 1.2.3.4 and then immediately publish
that IP in an A record and the SPF record under example.com, both
previously set up with short TTL's. If you just look at forward DNS
information, your query for the HELO name resolves to the connect IP,
and the SPF record designates that same IP as a mail host, so you are
tricked into believing this host is legitimate.
If you were to look at PTR, you would see:
4.3.2.1.in-add.arpa IN PTR 1.2.3.4.pool.adsl.bigISP.com
Now this machine appears to not be legitimate. Reverse DNS is the only
way we currently have to indicate whether an IP is controlled by a
domain. This is important as example.com previously has _no_ reputation
which means you'll likely accept it. The spammer knows it will soon
develop a bad reputation and plans to abandon the domain as soon as this
happens. The IP may get blacklisted, but that times out soon and the IP
is again available to be a trojan host.
There is no need to lookup the PTR, because HELO has already provided
it. Bogus names can be provided in PTR just as easily as in HELO.
Verifying the A record validates either one.
Just think of HELO as a extra PTR that comes for free with an SMTP
connection.
HELO is under the control of the machine operator, while PTR is under
the control of the IP owner and A is under the control of the domain
owner. Those three may well agree for legitimate mail hosts, but we
wish to detect hosts that are not legitimate. PTR is the only
information that tells you what domain controls the IP, so it's not
redundant at all.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735