On Sat, 2008-01-05 at 22:34 +0000, Julian Mehnle wrote:
David Woodhouse wrote:
[...]
why would you need multiple handles for the same sending host?
Although actually if the sender _really_ wants to, they _can_ give a
different HELO name according to the mail they're sending. It's a bit
pointless, but some people seem to do it anyway. And there's nothing in
CSV which prevents that from working.
So you're saying it is up to the sending host to provide varying HELO
identities if the receiver is supposed to be able to discriminate mail
that originates from varying senders but is all sent through that common
host. I.e. they would say "HELO mehnle.net.mailout.isp.com".
Remember, we're talking about a 'handle' used to do lookups in some kind
of reputation system, which results in some answer like (for example):
"the domain woodhou.se sends mostly spam" or
"the host using HELO bombadil.infradead.org sends mostly ham".
If you're going to do that kind of lookup, you need some reliable way to
know that the mail you're receiving really _is_ associated with the
domain or host to which you're attributing it.
SPF attempts to provide that for domains, but makes not-entirely-true
assumptions about the way SMTP works in the real world. CSV provides it
for HELO names. Each just attempts to 'authenticate' the mail so that
you can reliably look up whatever 'handle' you've used.
So what I'm saying is that in the CSV case, if the admin of a sending
host _really_ wants to use multiple handles or 'reputations' -- perhaps
one for "definitely not spam, from customers who pay extra and whose
first-born we have in escrow", and another for "stuff which has SA
points, from Windows-using customers" -- they _could_ do that.
Some people providing mailservers have taken to using multiple servers
for outgoing mail -- a 'low-risk' server and a separate 'high-risk' one
which is more likely to get blacklisted. If the blacklisting were done
with a reputation database based on CSV, it would be theoretically
possible to do it on just one host, by using a different HELO name.
Will they do that even for individual localparts (which SPF does support),
i.e., will they say "HELO julian._.mehnle.net.mailout.isp.com"?
It would be theoretically possible for them to do so, although I find it
unlikely that many would. I'm not aware that SPF can do that. Of course
the localpart can be a factor in the calculation of the authentication
result, but I know of no way that you can force a recipient to make a
distinction between the reputation of 'foo(_at_)domain(_dot_)com' and the
reputation of 'bar(_at_)domain(_dot_)com' short of disowning one or the other.
--
dwmw2
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=82244290-a5a349
Powered by Listbox: http://www.listbox.com