On Mon, 29 Jan 2007, Seth Goodman wrote:
This works as long as everything is legitimate. Let's look what happens
when example.com is a spammer and wants to use a trojaned host as a spam
cannon. They trojan the host at 1.2.3.4 and then immediately publish
that IP in an A record and the SPF record under example.com, both
previously set up with short TTL's. If you just look at forward DNS
information, your query for the HELO name resolves to the connect IP,
and the SPF record designates that same IP as a mail host, so you are
tricked into believing this host is legitimate.
No, I found that the *domain* was legitimate and not forged. That is
all I'm claiming. The domain in your example was not forged, and
can safely be credited with spam demerits and blocked shortly thereafter.
The spammer in your example could also publish "v=spf1 +all" to get
an SPF pass for any IP.
People requiring rDNS or worrying about spammers publishing "v=spf1 +all"
are apparently focused on IP reputation rather than domain reputation.
The whole point of the SPF project is to enable domain reputation.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735