Frank Ellermann wrote on Wednesday, March 14, 2007 4:18 PM -0600:
Seth Goodman wrote:
The alternative I suggested was to test for a locally maintained
domain list at the end of the HELO test, *iff* there is no HELO
pass. This is only a slight variation to your method.
It won't help immediately if they add new HELO identities with or
without SPF policy for new mailouts, the receiver still has to
maintain a set of trusted MTAs. At least I now understand an older
thread about "sets of MTAs" started by David some weeks ago.
That's a point where we have to admit that SPF HELO checks are
fine, but CSV would be better.
This is true, however, the HELO FQDN generally contains the parent
domain name, and that just might provide a way to emulate CSV and
automatically track non-SRS forwarders who publish SPF records. If
the reputation system were to look for entries, and create them if
they don't already exist, for each parent domain of the HELO FQDN,
the reputation system behaves as if it were CSV-aware and the
domains all published CSV records. This provides a number of
possible places to whitelist a forwarder by domain, and it would
automatically whitelist newly appearing MTA's that share a naming
structure. Even if they are not whitelisted, MTA's automatically
share reputation among other MTA's with related HELO names.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735