On 02/14, Jonas Eckerman wrote: > The SPF record above says that a host using "panic.chaosreigns.com" in > HELO should not be allowed to send mail unless it has the IP address > 64.71.152.40, regardless of the domain in the envelope from, From: > header, etc.. > > That's not exactly the same as your MTX scheme, but it has similar > results when combined with a FCDNS check on HELO (providing your scheme > is universally adopted).
You're right, I missed that, thank you. The complication, of course, is where a spammer owns the (forgable) HELO domain but not the IP (PTR). Full circle DNS handles that. Has the combination been implemented? SPF HELO + FCDNS's disadvantages compared to MTX are minor: 1) Complication. 2) 3 DNS lookups (HELO, PTR, SPF, possibly more if the SPF record isn't all IPs) instead of 2 (PTR, A). 3) Association with SPF (MAIL FROM), which people are emotional about. Possibly a lack of separate SPF records for HELO and MAIL FROM if they are the same. > If you're serious about your proposal, you should explain (in your > documentation) in what important way it differs from SPF as used against > HELO and other similar schemes, and why it is better. I had not seen the need to specifically address SPF HELO until now, I'll do that. Have I missed other similar schemes? http://www.chaosreigns.com/mtx/#comparisons On 02/14, Jonas Eckerman wrote: > * I think there should be a way to tell the world wether you are using > the scheme for a domain (not host) or not. This could easily be done in > DNS. I need to think about this more, thanks for the suggestion. (More on registrar boundaries below.) > * I think you should follow conventions in DNS naming, using an > underscore to signify that the DNS record is a "special" type of record. > This is quite common. That's probably a good idea, hmm. > You could use SpamAssassins registrar boundaries stuff for getting the > domain in a SA plugin, and score higher for missing MTX host record if > there is an MTX domain record. How good is SA's registrar boundaries stuff? Sounds messy. I don't think "Use SpamAssassin's registrar boundaries" would be good in an RFC. I don't even know where the record should be for wildlife.state.nh.us. www.state.nh.us exists, which would indicate mtx.state.nh.us. But it would probably be significantly more useful at mtx.wildlife.state.nh.us. Icky. You could give mtx.state.nh.us a value that indicates that you should check the subdomain (mtx.wildlife.state.nh.us). Even if SA's registrar boundaries pointed to mtx.wildlife.state.nh.us, you'd still need to be able to delegate to another subdomain. Not giving me warm fuzzies. > To say that "marmaduke.frukt.org" [195.67.112.219] is allowed to send mail: > 219.112.67.195._mtx.marmaduke.frukt.org. IN A 127.0.0.1 > > To say that we're using your scheme for all hosts under "frukt.org": > _mtx.frukt.org. IN A 127.0.0.1 Yup. Or maybe participant._mtx.frukt.org. Giving an A record to the _mtx subdomain itself seems potentially problematic, although I'm not coming up with a specific reason at the moment. Any suggestions other than "participant"? That would probably be the most arbitrary part of the spec. > If anyone connects from a host where reverse lookup or HELO puts it in > "frukt.org" domain, you know that your should reject or score high unless > it has FCDNS and a matching MTX record. Yup. > (And of course, if this catches on, you'll have to provide RFC style > documentation.) Yup. On 02/14, Jonas Eckerman wrote: > On 2010-02-13 21:48, dar...@chaosreigns.com wrote: >>On 02/13, mouss wrote: >> >>> http://mipassoc.org/csv/draft-ietf-marid-csv-csa-02.txt >> Looks like it ties the helo domain to the delivering IP, breaking (broken) >> forwarding just like SPF? > > Tying the HELO domain to an IP has does not break forwarding. The host > name (including domain) used in HELO is independent from the domain used > in MAIL FROM. Yup, sorry. It looks like Client SMTP Authorization doesn't require ownership of the IP. So a spammer could send spam from any IP on the internet, as long as they use a HELO matching a domain they own and have created the CSA records for. > (It's not that use of SPF that breaks (borken) forwarding, it's the > limits connected to the domain used in MAIL FROM.) Right. -- "Forget not that the earth delights to feel your bare feet and the winds long to play with your hair." - Kahlil Gibran http://www.ChaosReigns.com
