Can you explain what this would provide? Section 4.1.4 of RFC 5321 says of the EHLO parameter:
An SMTP server MAY verify that the domain name argument in the EHLO command actually corresponds to the IP address of the client. However, if the verification fails, the server MUST NOT refuse to accept a message on that basis. Since it can't be used for filtering decisions, and thus in effect this could be any value and the server MUST accept it, I've never understood why it's an interesting thing to include in any sort of report or decision-making. -MSK, participating On Thu, Oct 20, 2022 at 6:35 PM Douglas Foster < [email protected]> wrote: > We are missing an opportunity if we do not include the HELO name along > with the IP address in the aggregate reports. I would also recommend > asking for fcDNS status (confirmed, not confirmed, not tested). > > The report receiver could do the fcDNS check himself, but there is a > possibility that the results will be different if tested from a different > geography at a later point in time. > > 1) HELO will often produce fcDNS confirmed, and it is often an accurate > clue to the server owner even when it is not confirmed. Once you know the > server owner, you can reliable correlations across all IPs used by that > organization. > > 2) Despite what might be assumed, the HELO name does not change very > often, even for spam sources. If and when the name does change, you still > learn valuable data. Three possibilities come to mind: > a) The IP ownership has changed so the IP reputation needs to be > re-evaluated. > b) The source is playing name games so the IP reputation should be > mistrusted further. > c) The source is behind a shared V6-to-V4 gateway, so reputation needs to > be based entierely on HELO instead of IP.. > > And as a side benefit, we can ask for this information without causing any > further disaggregation. > > Doug Foster > > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
