Tom Kistner wrote:
> Tim Jackson wrote:
>
> > Thanks! I'm glad I'm not the only one who's thinking this. Not a
> > complete solution, nor addressing exactly the same problem, but it
> > seems to me that inventing a completely new solution (i.e. SPF) that
> > breaks things when we haven't even exhausted existing methods is a
> > shame. No doubt someone will point out how unlikely it is that
> > everyone will ever have working rDNS - I agree, but if that's true,
> > what are the chances of everyone making far bigger changes to their
> > software to cope with SPF rewriting?
>
> The big difference is that SPF info is put in the forward DNS, and thus
> is per-domain. rDNS is per-address. Now throw in NAT, "virtual" servers
> and other abominations, and it does not work any more ...
>
> I also think that 'HELO name == rDNS lookup' is a good idea, but reality
> is in the way :)
>
If that is true then SPF will never work, here is a snipete straight from
the SPF website FAQ.
http://spf.pobox.com/faq.html
<START FROM_FAQ>
------------------------------------------------------------------------
Q. How does it work?
A. Suppose a spammer forges a hotmail.com address and tries to spam you.
He connects from an IP address somewhere.
When he declares MAIL FROM: <forged_address@???>, you don't have
to believe him. You can ask Hotmail if the IP address comes from their
network.
(In this example) Hotmail publishes an SPF record. That record tells you
how to find out if the client IP address belongs to them.
hotmail.com IN TXT "v=spf1 ptr -all"
You execute the "ptr" mechanism, which means: find out the hostname of
the client; if it ends in hotmail.com, it's legit.
If the message fails SPF tests, it's a forgery. That's how you can tell
it's probably a spammer.
------------------------------------------------------------------------
Q. But do you verify the PTR response?
A. Yes, the hostname returned by a PTR has to also resolve back to the IP
address given. This is standard practice.
------------------------------------------------------------------------
</START FROM_FAQ>
--
So see, if SPF requires proper DNS PTR records, why not just start there to
begin with?
--EAL--
