Devin Ganger wrote on Monday, January 29, 2007 7:13 PM -0600:
Stuart D. Gathman wrote:
On Mon, 29 Jan 2007, Devin Ganger wrote:
How can I make a true determination of a domain's reputation (and
a given connection's right to benefit from that reputation)
unless I can determine whether that connection is allowed to use
that domain?
If the domain put the connect IP address in their DNS for the HELO
name, or listed it in their SPF record for HELO or MAIL FROM, then
they are responsible for the connection. That is what SPF is all
about.
Sorry, imprecise terminology. By "connection" I meant "incoming SMTP
connection."
Let me rephrase: how do I determine whether an incoming SMTP
connection is in fact using an IP address they are allowed to use?
You've got this right, you can't tell a stolen IP from forward DNS
alone. You don't want connections coming from stolen IP's, even if the
thieves own a legitimate domain.
Given the sheer numbers of bots out there, you can no longer assume
that an incoming SMTP connection is necessarily allowed to be an
email sender. A spammer with a botnet can configure those bots to use
a HELO domain in a domain *the spammer controls*. Sure, the domain
lists the IP address properly, but it's still a stolen IP address.
The best way we have to check that now is by verifying the rDNS of
the incomign SMTP connection. If the HELO, forward, and rNDS don't
match, that's an interesting piece of data. It could mean that it's a
fraudulent connection, that the operator of the incoming host has not
configured their box correctly, or that the IP provider is clueless
about rDNS delegation. Some people choose to be more strict with
those kinds of connections; others may want to treat mail from that
source with more suspicion. But it's a relevant piece of data to feed
to your reputation systems.
<...>
You can try to isolate domain reputation and IP reputation, but
out here in the real world they're intertwined.
And if you want to whitelist some IPs for a customer, you need to
keep them updated. Man, those phone calls to update IPs are a
nuisance! Hey, maybe they could put the IPs in a DNS record under
their domain!
You seem to be ignoring the fact that anyone can put any IP addresses
into their A records. PTR records are the only useful way of
validating that information at this time. No one is claiming they're
perfect, but they're the best we've got right now. And as far as I
have seen, no one is blindly advocating using rDNS consistency as a
widespread criterion for rejecting messages.
Actually, a lot of people do exactly that because it is effective.
You're right that it is not without cost, just that the benefits often
outweigh them.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735