RE: [spf-discuss] Using SPF op=helo for HELO Authorization

At 03:46 PM 1/29/2007 -0600, Seth Goodman wrote:
> David MacQuigg wrote on Monday, January 29, 2007 1:37 PM -0600:
> > At 01:16 PM 1/29/2007 -0500, Stuart D. Gathman wrote:
> >> > On Mon, 29 Jan 2007, David MacQuigg wrote:
> > >
> > > > functionality as CSV, requiring an authentication record for each
> > > > and every host, which we can't expect domain owners to do.
> > >
> > > You need an authentication record for each and every name you
> > > want to authenticate with SPF, HELO or otherwise.
> >
> > So if we want just one record for rr.com, we will need to convince
> > them to say HELO rr.com and not include the complete hostname, in
> > violation of RFC compliance.
>
> I could be misunderstanding something basic about what you want to do,
> but I don't think rr.com needs to do anything special.  SPF works by
> matching IP's, not hostnames.
And we need the domain name to aggregate authentication and reputation data 
in an efficient and secure manner.  Here is the problem with rr.com:
Their SPF records says
v=spf1 ip4:24.30.203.0/24 ip4:24.28.200.0/24 ip4:24.28.204.0/24 
ip4:24.30.218.0/24 ip4:24.93.47.0/24 ip4:24.25.9.0/24 ip4:65.24.5.0/24 
ip4:24.94.166.0/24 ip4:24.29.109.0/24 ip4:66.75.162.0/24 ip4:24.24.2.0/24 
ip4:65.32.5.0/24 +mx ~all
authorizing 3074 IP addresses, including the few dozen that are actually 
used for outgoing mail.
Unfortunately, that does not include *all* their outgoing mail servers, nor 
does it allow us to reject any forgeries of their HELO name.  OK, the first 
problem really shouldn't happen, and if they were taking this record 
seriously, it wouldn't, but the second problem is almost universal, due to 
the fact that SPF records have to include addresses other than those of 
their own transmitters.
So we use a default record for rr.com
opt=df:3 svc=X1:B 
ip4=24.24.0.0/14,24.28.0.0/15,24.30.128.0/18,24.30.192.0/19,24.92.160.0/19,24.92.192.0/18,24.93.0.0/16,24.94.0.0/15,65.24.0.0/14,65.32.0.0/15,65.34.0.0/20,66.74.0.0/15
authorizing 1167360 IP addresses, this time including the few strays that 
were not in their SPF record.
Now the only problem with this record is that if spammers get smart, they 
will figure out a way to get the zombies in that huge Regional Registry 
address space to use a HELO name ending in rr.com, and take advantage of 
that company's B rating.  We haven't seen it so far, but we know it will 
happen.  We will count against their reputation any spam we cannot reject 
at HELO, based on their Registry record.
The good news is that rr.com can easily cut off the zombies, *without* 
losing mail due to the ?all problem, and *without* blocking port 25, or 
doing anything else that would bother a legitimate customer.  All they have 
to do is publish an _auth record telling us to reject at HELO anything not 
authorized by their SPF record.
Wouldn't it be nice if SPF had an option to do this, one that allowed a 
very efficient "compiled record" HELO authentication?
I know you guys can do it.  Start thinking outside the box!

-- Dave 

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, 
please go to http://v2.listbox.com/member/?list_id=735