spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF on HELO - take 2

2009-01-08 10:13:04
from [Scott Kitterman] [Permanent Link] 
On Thursday 08 January 2009 09:42, Alessandro Vesely wrote:

Scott Kitterman wrote:

On Thu, 08 Jan 2009 13:46:54 +0100 Alessandro Vesely 
<vesely(_at_)tana(_dot_)it> 

wrote:

Perhaps SPF on HELO would have been more effective if servers checked
the name resulting from rDNS.


SPF only does what it does and isn't a panacea.


Yup, it blocks senders, not hosts. Possibly, someone on this list
recalls how come RFC 4408 recommends checking the HELO identity as well...


It started out as a fallback for what to do for null sender (Mail From <>) 
messages, but proved to have general utility.


Typically in cases like this [...] you can tell this is bogus before you
even check SPF or rDNS.


Yet, it's not quite sound to reject a message on that basis. The
ability to reject spurious senders right on the MAIL FROM command is
SPF's centerpiece. SPF on HELO can add or subtract a few points from a
spam score, and I'm not sure whether that deserves being highlighted
as a prominent feature for marketing purposes.


I disagree.  Rejecting mail with an SPF HELO result that is not Pass/None is 
quite safe and low cost.  

Many entities reject mail where forward/reverse DNS don't match (AOL for one).  
Even more reject for lack of rDNS.  So rejecting mail for faulty HELO/EHLO is 
quite well established even if the RFCs are behind (as usual).  SPF HELO 
checks add to this and are an easy win that do not have any of (from my view 
small, but still real) downsides of rejecting mail based on SPF Fail for Mail 
From.

If a server is acting as a MSA (submission agent) then for submission, I 
totally agree that rejecting based on HELO/EHLO issues is unsound, but you 
shouldn't check SPF at all in that case.  

For MTA to MTA transactions, what is unsound about rejecting mail from a 
non-existant HELO name or one where the HELO name A record don't match?

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF on HELO - take 2, Alessandro Vesely
Next by Date:  Re: [spf-discuss] SPF on HELO - take 2, Alessandro Vesely
Previous by Thread:  Re: [spf-discuss] SPF on HELO - take 2, Alessandro Vesely
Next by Thread:  Re: [spf-discuss] SPF on HELO - take 2, Alessandro Vesely
Indexes:  [Date] [Thread] [Top] [All Lists]