On Mon, 29 Jan 2007, Devin Ganger wrote:
If the domain put the connect IP address in their DNS for the HELO name,
or listed it in their SPF record for HELO or MAIL FROM, then they are
responsible for the connection. That is what SPF is all about.
Sorry, imprecise terminology. By "connection" I meant "incoming SMTP
connection."
Let me rephrase: how do I determine whether an incoming SMTP connection is in
fact using an IP address they are allowed to use?
If by "they", you mean the domain owner, then you know when HELO matches
the connect IP, or gets SPF PASS, and when MAIL FROM gets SPF PASS. rDNS
has nothing to do with it.
If by "they" you (as I suspect you do) mean "the ISP", then yes, rDNS
is important. But that is off topic for an SPF list, where we are
primarily interested in *domain* authentication and reputation. IP
reputation is old hat - been there, done that.
Given the sheer numbers of bots out there, you can no longer assume that an
incoming SMTP connection is necessarily allowed to be an email sender. A
spammer with a botnet can configure those bots to use a HELO domain in a
domain *the spammer controls*. Sure, the domain lists the IP address
properly, but it's still a stolen IP address.
Yes, it's a stolen IP address. But it is *not* a stolen domain. SPF
is about *domain* authentication.
And if you want to whitelist some IPs for a customer, you need to keep
them updated. Man, those phone calls to update IPs are a nuisance!
Hey, maybe they could put the IPs in a DNS record under their domain!
You seem to be ignoring the fact that anyone can put any IP addresses into
their A records. PTR records are the only useful way of validating that
information at this time. No one is claiming they're perfect, but they're the
best we've got right now. And as far as I have seen, no one is blindly
advocating using rDNS consistency as a widespread criterion for rejecting
messages.
Of course. But those IP addresses were put there BY THE DOMAIN OWNER,
and so the *domain* was not forged.
That is what SPF (and HELO names) are all about - associating IPs
with email domains in an automatic way that is under the control
of the domain owner.
Yes, and when you're doing HELO checks, you're not validating domains so much
as you are the host at that IP address. The HELO domain needs have no
relationship to the domains in the messages passed.
If you are "not validating domains so much", then maybe you are on the
wrong mailing list.
HELO checks are asking, "Do we have enough information to decide whether we
trust this source?" -- and despite your assertion that SPF isn't intended to
control IP reputation, that's exactly what SPF checks for HELO boil down to.
No, they [HELO SPF checks] validate the HELO name, regardless of how many IPs
are assigned to it.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735