Re: [Exim] Fixing SPF Forward Problem by Reply-to: Hack?

Top Page
Delete this message
Reply to this message
Author: Edgar Lovecraft
Date:  
To: exim-users
Subject: Re: [Exim] Fixing SPF Forward Problem by Reply-to: Hack?
Tom Kistner wrote:
> Tim Jackson wrote:
>
> > Thanks! I'm glad I'm not the only one who's thinking this. Not a
> > complete solution, nor addressing exactly the same problem, but it
> > seems to me that inventing a completely new solution (i.e. SPF) that
> > breaks things when we haven't even exhausted existing methods is a
> > shame. No doubt someone will point out how unlikely it is that
> > everyone will ever have working rDNS - I agree, but if that's true,
> > what are the chances of everyone making far bigger changes to their
> > software to cope with SPF rewriting?
>
> The big difference is that SPF info is put in the forward DNS, and thus
> is per-domain. rDNS is per-address. Now throw in NAT, "virtual" servers
> and other abominations, and it does not work any more ...
>
> I also think that 'HELO name == rDNS lookup' is a good idea, but reality
> is in the way :)
>

If that is true then SPF will never work, here is a snipete straight from
the SPF website FAQ.
http://spf.pobox.com/faq.html
<START FROM_FAQ>
------------------------------------------------------------------------
Q. How does it work?
A. Suppose a spammer forges a hotmail.com address and tries to spam you.
   He connects from an IP address somewhere.
   When he declares MAIL FROM: <forged_address@???>, you don't have
   to believe him. You can ask Hotmail if the IP address comes from their
   network.
   (In this example) Hotmail publishes an SPF record. That record tells you
   how to find out if the client IP address belongs to them.
         hotmail.com  IN TXT  "v=spf1  ptr  -all"
   You execute the "ptr" mechanism, which means: find out the hostname of
   the client; if it ends in hotmail.com, it's legit.
   If the message fails SPF tests, it's a forgery. That's how you can tell
   it's probably a spammer.
------------------------------------------------------------------------
Q. But do you verify the PTR response?
A. Yes, the hostname returned by a PTR has to also resolve back to the IP
   address given. This is standard practice.
------------------------------------------------------------------------
</START FROM_FAQ>
--
So see, if SPF requires proper DNS PTR records, why not just start there to
begin with?
--EAL--