spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Feature request for SPFv3

2009-07-13 16:14:25
At 18:01 13/07/2009  Monday, Stuart D. Gathman wrote:
On Fri, 10 Jul 2009, alan wrote:

At 21:52 10/07/2009  Friday, Stuart D. Gathman wrote:
In my "best-guess" algorithm, a validated HELO (that resolves to the 
connect ip)
is added to the collection of validated PTR records for the PTR mechanism.


untrue:
example if a spammer has a bot infecting my home pc
ptr host244.freudenhaus.alandoherty.net
he can quite happily connect to you and helo as mail.spammersdomain.com
and have ensured that mail.spammersdomain.com points at my ip {and possibly 
100 others, ok 5 }
thus passing your test but proving nothing of his authenticity  {as we know 
the ip is mine not his}

You wouldn't put ptr:spammersdomain.com in your SPF policy (would you?).

yes but i wouldn't be wanting to send email via non-legit MTA's

spammer at spammerdomain do want mail via non-legit mta's to pass receiver 
policies
{50cents each through most Chinese registrars}
they just register more domains as the old one get blacklisted at a cost of 50 
cent a week ish}


It proves that the email was controlled by spammersdomain.com, and 
that is the domain that gets blacklisted, not alandoherty.net.

but as i say this is always too little too late


the checking of ptr > name > ip
is a method of validating the ip's identity not the helo or the spf records

in other words senders/receivers use SPF to control forgeries

ptr > name > ip 
{is a check done entirely independently of SPF DKIM etc not to control 
forgeries 
just to control un-forged {and no SPF or permissive SPF, forged} spam

HELO > name > ip validates helo.

you can already authorize ips you have no ptr setup for in your spf

That is a fair point: probably strong enough to withdraw the proposal.
Since you (the sender) control the HELO, you can always provide a A mechanism
instead for an SPF policy.

exactly
{or like we require if you want a broken ptr whitelisted here
to be accepted you MUST helo as hostname.yourdomain.tld not yourdomain.tld {all 
too common mistake}
you must setup an A for hostname.yourdomain.tld pointing to the connecting ip(s)
you must setup an SPF for hostname.yourdomain.tld terminating -all only 
authorising the same ip(s)
we encourage setting up a CSV for hostname.yourdomain.tld only authorising the 
same ip(s)


The enhanced PTR (or HELO) mechanism is only really useful in
best-guess algorithms.  I was just hoping to help standardize guessing a
little.

the whole concept of best guess algorithms I find ham fisted 



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com