On Mon, 2004-08-02 at 14:27, Hochstrasser Benedikt wrote:
> helo_verify verifies the sending host via reverse lookup (IP -> name);
> if the name don't match -> sayonara.
> Unfortunately, there are many sites who have a bunch of front-end
> mailers (like mail1.domain.org, mail2.domain.org etc) who present
> themselves as "mail.domain.org" but of course the reverse lookup will
> fail. OTOH, each of these front-end mailers are registered MXes for that
> domain so I can assume they're legit.
Personally I don't consider HELO worth checking at all other than the
common spam case (HELO is my name, or HELO is my IP)
[... snipped ...]
> That way we will a) catch all spammers (unless they're using a
> registered relay) and b) still allow mail from all "legitimate" domains.
You have just re-invented SPF except without the degree of thought and
design that has gone into SPF. You could implement your policy using
SPF but you need to be aware that until the whole internet is fully SPF
compliant (probably never), you will lose mail through "false"
positives.
How bloody minded you can afford to be on this depends on your
environment.
http://spf.pobox.com/
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]