At 21:52 10/07/2009 Friday, Stuart D. Gathman wrote:
In my "best-guess" algorithm, a validated HELO (that resolves to the connect
ip)
is added to the collection of validated PTR records for the PTR mechanism.
I propose to make this a MUST behaviour for spfv3. Many small businesses
on DSL or Cable internet find it difficult to get their ISP to maintain
PTR records. The HELO name in an SMTP connection serves the same purpose
as a PTR record, and is already available. PTR lookups are a waste
of bandwidth (for authentication purposes) when HELO is available and valid.
While SPF macros can select the rightmost parts of HELO, and it is
possible for SPF to verify that HELO matches the connect ip (somewhat
kludgily), I haven't hit on a way to check that the rightmost parts
of HELO match the MAILFROM domain using spfv1.
A literal compare operation added to spfv3 could serve the same purpose,
but I don't have any concrete syntax proposals.
untrue:
example if a spammer has a bot infecting my home pc
ptr host244.freudenhaus.alandoherty.net
he can quite happily connect to you and helo as mail.spammersdomain.com
and have ensured that mail.spammersdomain.com points at my ip {and possibly 100
others, ok 5 }
thus passing your test but proving nothing of his authenticity {as we know the
ip is mine not his}
the checking of ptr > name > ip
is a method of validating the ip's identity not the helo or the spf records
its entirely independent of spf and even isps refusing to check spf use it
[to either score or reject badly setup MTAs mail]
as far as spf is concerned ptr is unused unless the spf policy of the helo or
envelope-sender asks for it to be used
thus same spammer sending from blah(_at_)spammersotherdomain(_dot_)com
as long as he has an spf of "v=spf1 A:mail.spammersdomain.com
A:mail2.spammersdomain.com A:mail3.spammersdomain.com -ALL"
on spammersotherdomain.com
and has an spf for mail{x}.spammersdomain.com of "v=spf1 A -ALL"
he has already passed all the most rigorous of spf checks
and ensures each of his helo names points to a cluster of bots and each bot in
the cluster will helo with the right name
SPF is about authorising your IP's to send mail for your domains
you can already authorize ips you have no ptr setup for in your spf
receivers that refuse mail from servers with no ptr / broken ptr are not doing
this due to spf they do this due to common sense and will not change that
anytime soon {this predates spf by many years and more dumb isp's are unlikely
to change this}
interestingly the theoretical bot herder in this case would get through both as
my ptr will also pass ptr check {it dosn't have to be same name as helo}
{all sensible receivers will also whitelist servers from ptr checks if known to
be legit and useless isp involved, i have many such whitelistings for MTA's I
know are good despite being broken}
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com