RE: [spf-discuss] Using SPF op=helo for HELO Authorization
2007-01-29 16:34:07
At 03:46 PM 1/29/2007 -0600, Seth Goodman wrote:
David MacQuigg wrote on Monday, January 29, 2007 1:37 PM -0600:
> At 01:16 PM 1/29/2007 -0500, Stuart D. Gathman wrote:
>> > On Mon, 29 Jan 2007, David MacQuigg wrote:
> >
> > > functionality as CSV, requiring an authentication record for each
> > > and every host, which we can't expect domain owners to do.
> >
> > You need an authentication record for each and every name you
> > want to authenticate with SPF, HELO or otherwise.
>
> So if we want just one record for rr.com, we will need to convince
> them to say HELO rr.com and not include the complete hostname, in
> violation of RFC compliance.
I could be misunderstanding something basic about what you want to do,
but I don't think rr.com needs to do anything special. SPF works by
matching IP's, not hostnames.
And we need the domain name to aggregate authentication and reputation data
in an efficient and secure manner. Here is the problem with rr.com:
Their SPF records says
v=spf1 ip4:24.30.203.0/24 ip4:24.28.200.0/24 ip4:24.28.204.0/24
ip4:24.30.218.0/24 ip4:24.93.47.0/24 ip4:24.25.9.0/24 ip4:65.24.5.0/24
ip4:24.94.166.0/24 ip4:24.29.109.0/24 ip4:66.75.162.0/24 ip4:24.24.2.0/24
ip4:65.32.5.0/24 +mx ~all
authorizing 3074 IP addresses, including the few dozen that are actually
used for outgoing mail.
Unfortunately, that does not include *all* their outgoing mail servers, nor
does it allow us to reject any forgeries of their HELO name. OK, the first
problem really shouldn't happen, and if they were taking this record
seriously, it wouldn't, but the second problem is almost universal, due to
the fact that SPF records have to include addresses other than those of
their own transmitters.
So we use a default record for rr.com
opt=df:3 svc=X1:B
ip4=24.24.0.0/14,24.28.0.0/15,24.30.128.0/18,24.30.192.0/19,24.92.160.0/19,24.92.192.0/18,24.93.0.0/16,24.94.0.0/15,65.24.0.0/14,65.32.0.0/15,65.34.0.0/20,66.74.0.0/15
authorizing 1167360 IP addresses, this time including the few strays that
were not in their SPF record.
Now the only problem with this record is that if spammers get smart, they
will figure out a way to get the zombies in that huge Regional Registry
address space to use a HELO name ending in rr.com, and take advantage of
that company's B rating. We haven't seen it so far, but we know it will
happen. We will count against their reputation any spam we cannot reject
at HELO, based on their Registry record.
The good news is that rr.com can easily cut off the zombies, *without*
losing mail due to the ?all problem, and *without* blocking port 25, or
doing anything else that would bother a legitimate customer. All they have
to do is publish an _auth record telling us to reject at HELO anything not
authorized by their SPF record.
Wouldn't it be nice if SPF had an option to do this, one that allowed a
very efficient "compiled record" HELO authentication?
I know you guys can do it. Start thinking outside the box!
-- Dave
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- RE: [spf-discuss] Using SPF op=helo for HELO Authorization, (continued)
- RE: [spf-discuss] Using SPF op=helo for HELO Authorization, Seth Goodman
- RE: [spf-discuss] Using SPF op=helo for HELO Authorization,
David MacQuigg <=
- Re: [spf-discuss] Using SPF op=helo for HELO Authorization, Alex van den Bogaerdt
- [spf-discuss] Re: Using SPF op=helo for HELO Authorization, Julian Mehnle
- RE: [spf-discuss] Using SPF op=helo for HELO Authorization, Seth Goodman
- [spf-discuss] Re: Using SPF op=helo for HELO Authorization, Frank Ellermann
- Re: [spf-discuss] Re: Using SPF op=helo for HELO Authorization, Alex van den Bogaerdt
- RE: [spf-discuss] Re: Using SPF op=helo for HELO Authorization, Seth Goodman
- RE: [spf-discuss] SPF basics commentary, Seth Goodman
- [spf-discuss] Re: SPF basics commentary, Frank Ellermann
- [spf-discuss] Re: SPF basics commentary, Don Lee
- [spf-discuss] Re: SPF basics commentary, Julian Mehnle
|
|
|