At 18:01 13/07/2009 Monday, Stuart D. Gathman wrote:
On Fri, 10 Jul 2009, alan wrote:
At 21:52 10/07/2009 Friday, Stuart D. Gathman wrote:
In my "best-guess" algorithm, a validated HELO (that resolves to the
connect ip)
is added to the collection of validated PTR records for the PTR mechanism.
untrue:
example if a spammer has a bot infecting my home pc
ptr host244.freudenhaus.alandoherty.net
he can quite happily connect to you and helo as mail.spammersdomain.com
and have ensured that mail.spammersdomain.com points at my ip {and possibly
100 others, ok 5 }
thus passing your test but proving nothing of his authenticity {as we know
the ip is mine not his}
You wouldn't put ptr:spammersdomain.com in your SPF policy (would you?).
yes but i wouldn't be wanting to send email via non-legit MTA's
spammer at spammerdomain do want mail via non-legit mta's to pass receiver
policies
{50cents each through most Chinese registrars}
they just register more domains as the old one get blacklisted at a cost of 50
cent a week ish}
It proves that the email was controlled by spammersdomain.com, and
that is the domain that gets blacklisted, not alandoherty.net.
but as i say this is always too little too late
the checking of ptr > name > ip
is a method of validating the ip's identity not the helo or the spf records
in other words senders/receivers use SPF to control forgeries
ptr > name > ip
{is a check done entirely independently of SPF DKIM etc not to control
forgeries
just to control un-forged {and no SPF or permissive SPF, forged} spam
HELO > name > ip validates helo.
you can already authorize ips you have no ptr setup for in your spf
That is a fair point: probably strong enough to withdraw the proposal.
Since you (the sender) control the HELO, you can always provide a A mechanism
instead for an SPF policy.
exactly
{or like we require if you want a broken ptr whitelisted here
to be accepted you MUST helo as hostname.yourdomain.tld not yourdomain.tld {all
too common mistake}
you must setup an A for hostname.yourdomain.tld pointing to the connecting ip(s)
you must setup an SPF for hostname.yourdomain.tld terminating -all only
authorising the same ip(s)
we encourage setting up a CSV for hostname.yourdomain.tld only authorising the
same ip(s)
The enhanced PTR (or HELO) mechanism is only really useful in
best-guess algorithms. I was just hoping to help standardize guessing a
little.
the whole concept of best guess algorithms I find ham fisted
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com