On Mon, Jan 29, 2007 at 05:13:01PM -0800, Devin Ganger wrote:
Given the sheer numbers of bots out there, you can no longer assume that an
incoming SMTP connection is necessarily allowed to be an email sender. A
spammer with a botnet can configure those bots to use a HELO domain in a
domain *the spammer controls*. Sure, the domain lists the IP address
properly, but it's still a stolen IP address.
SPF is not about authorization for participating in the email system
(nor is HELO). SPF is about authorization for using domain names.
That spammer authorizes an IP address to use the spammer's domain name.
So what.
With domain name based reputation schemes, you don't even care if the
host is or is not authorized to use the spammer's name. You just won't
accept email from "bigspammer.example" (HELO or MAIL FROM).
This said, I do think the use of HELO domains should be more strict.
Any ISP can setup rDNS for each host. Any ISP can also configure a
matching A record for each PTR record.
Easy to script:
1.2.0.192.in-addr.arpa. IN PTR a192-0-2-1.adsl.example.com.
a192-0-2-1.adsl.example.com. IN A 192.0.2.1
Any host can be configured to use its own name (the parameter in the
PTR record!) in HELO, except a few corner cases where no DNS is
available. In such a case (very rare!) the address literal escape
can be used.
True, some people won't like using "HELO a192-0-2-1.adsl.example.com"
but that's exactly what the host is named. "mail.prettyname.example"
is currently also allowed (provided this *is* a name *for*that*host*)
even without "1.2.0.192.in-addr.arpa. IN PTR mail.prettyname.example.".
This is a mistake IMHO.
For those few SMTP servers that are multi-homed, it would be relatively(!)
easy to determine which interface is going to be used, thus which domain
name to use for HELO.
This means that in every case, it would be possible to use a tailored
HELO domain for the interface used for sending mail, and RFC 2821
section 4.1.4 paragraph 6 can be changed.
The situation then:
Each host will have to use its own name (IP->PTR->A) in HELO. Not
doing so is a reason to disconnect immediately.
Suppose bots would be reconfigured to dynamically find the host's
true name and use it for their HELO, wouldn't that be great?
More problematic in this case is setting up SPF. The power is with
the ISP, and if ISPs are going to decide which host is allowed to
send mail or not, people may just stop using a proper HELO, reverting
to some other name that is not listed as PTR. I would rather see
a (ISP)default "v=spf1 a -all" record for each host, if they want to
publish anything at all, certainly not "v=spf1 -all".
In fact, if the entire world would use these strict helo rules, SPF
would no longer be necessary for HELO, at least not for anti-forgery.
Alex
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735