Stuart D. Gathman wrote:
On Mon, 29 Jan 2007, Devin Ganger wrote:
How can I make a true determination of a domain's reputation (and a given
connection's right to benefit from that reputation) unless I can determine
whether that connection is allowed to use that domain?
If the domain put the connect IP address in their DNS for the HELO name,
or listed it in their SPF record for HELO or MAIL FROM, then they are
responsible for the connection. That is what SPF is all about.
Sorry, imprecise terminology. By "connection" I meant "incoming SMTP
connection."
Let me rephrase: how do I determine whether an incoming SMTP connection is in
fact using an IP address they are allowed to use?
Given the sheer numbers of bots out there, you can no longer assume that an
incoming SMTP connection is necessarily allowed to be an email sender. A
spammer with a botnet can configure those bots to use a HELO domain in a domain
*the spammer controls*. Sure, the domain lists the IP address properly, but
it's still a stolen IP address.
The best way we have to check that now is by verifying the rDNS of the incomign
SMTP connection. If the HELO, forward, and rNDS don't match, that's an
interesting piece of data. It could mean that it's a fraudulent connection,
that the operator of the incoming host has not configured their box correctly,
or that the IP provider is clueless about rDNS delegation. Some people choose
to be more strict with those kinds of connections; others may want to treat
mail from that source with more suspicion. But it's a relevant piece of data to
feed to your reputation systems.
If they *do* match, that tells us that we can usefully assume this is a
legitimate host in that IP/domain space. Again, how that affects the reputation
data is up to the receiver. However, many receivers will not wish to treat
bogus mail coming from a match the same way they would that same mail coming
from a system that didn't match.
You can try to isolate domain reputation and IP reputation, but out here in
the real world they're intertwined.
And if you want to whitelist some IPs for a customer, you need to keep
them updated. Man, those phone calls to update IPs are a nuisance!
Hey, maybe they could put the IPs in a DNS record under their domain!
You seem to be ignoring the fact that anyone can put any IP addresses into
their A records. PTR records are the only useful way of validating that
information at this time. No one is claiming they're perfect, but they're the
best we've got right now. And as far as I have seen, no one is blindly
advocating using rDNS consistency as a widespread criterion for rejecting
messages.
That is what SPF (and HELO names) are all about - associating IPs
with email domains in an automatic way that is under the control
of the domain owner.
Yes, and when you're doing HELO checks, you're not validating domains so much
as you are the host at that IP address. The HELO domain needs have no
relationship to the domains in the messages passed.
HELO checks are asking, "Do we have enough information to decide whether we
trust this source?" -- and despite your assertion that SPF isn't intended to
control IP reputation, that's exactly what SPF checks for HELO boil down to.
--
Devin L. Ganger, Exchange MVP Email: deving(_at_)3sharp(_dot_)com
3Sharp LLC Phone: 425.882.1032 x1011
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.702.8455
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735