Mailing List Archive: SPF: Discuss

Proposed helo mechanism example

Index | Next | Previous | View Threaded

stuart at bmsi

Jul 14, 2009, 7:53 AM

Post #1 of 7 (1647 views)
Permalink

Proposed helo mechanism example

On Tue, 14 Jul 2009, alan wrote:

> the helo is validated by testing the for an spf for
> postmaster [at] smtp-out thats what SPF recommends already

That validates the HELO SPF *identity*. I am not talking about that.
If one wants to use the HELO name as a substitute PTR name as I proposed
(for validating the MAIL FROM identity), it is "validated" the same as a
DNS PTR record.

Apart from those missing the point, the main argument against the
proposal is that it isn't needed because the MTAs could be authorized
(for MAIL FROM - we are not talking about the HELO identity) by
a list of IP4 or A mechanisms. The very senders (like me) who might want
to use HELO as a PTR, are going to have few MTAs - certainly less than 100 in
fact. Any more, and they will have 256 IP blocks and have no trouble setting
PTR records. In fact, more than 32 IPs, and there will probably be
enough money flowing to the ISP, that they will be more likely to
respond to PTR requests, or provide an automated interface.

So the worst case is 100 MTAs in a /25 block - which should probably
be listed with an IP4:1.2.3.4/25. But, for those missing the point,
an example might help:

A small email admin has 12 MTAs on 4 /29 networks in 4 cities. He doesn't want
to have a big SPF record listing them individually. He doesn't want to have
two dummy A records with 6 Ips each. They aren't the same as the incoming
MXes. His ISP is the local cable monopoly in 4 cities, and getting their DNS
flunkies to update the PTR records in a timely and accurate manner is not
feasible. So, he establishes a naming convention: m1.smtp.example.com to
m12.smtp.example.com and uses those for HELO on the 12 MTAs. He then creates
an SPFv3 record as

example.com IN SPF "v=spf3.14 helo:smtp.example.com -all"

This authorizes example.com mail from the MTAs in all four cities.

When checking that SPF record, receivers lookup the A or AAAA RR for the HELO
name, and if there is an IP matching the connect IP, it is "validated",
otherwise (i.e. the HELO is syntactically invalid or there is no A or AAAA
RR) the HELO fails to match. If the HELO name is valid, the HELO mechanism
matches if the name ends with the same labels as the argument - analogous
to the PTR mechanism.

I use helo:%{d} now for bestguess. Those talking about "admin relationships"
are completely missing the point. I couldn't care less about admin
relationships among spammers. When I get an email with a best guess
SPF pass like this:

2009Jul14 10:32:47 [5519] Received-SPF: None (mail.bmsi.com: 64.16.195.145 is neither permitted nor denied by domain of headvillage.com) client-ip=64.16.195.145; envelope-from="DoggieBathroom [at] headvillage"; helo=ssl.headvillage.com; receiver=mail.bmsi.com; mechanism=a/24; x-bestguess=pass; x-helo-spf=pass; identity=mailfrom

I can hit the blacklist button for headvillage.com without any qualms.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

scott at kitterman

Jul 14, 2009, 8:23 AM

Post #2 of 7 (1563 views)
Permalink

Re: Proposed helo mechanism example [In reply to]

On Tue, 14 Jul 2009 10:53:19 -0400 (EDT) "Stuart D. Gathman"
<stuart [at] bmsi> wrote:
>On Tue, 14 Jul 2009, alan wrote:
>
>> the helo is validated by testing the for an spf for
>> postmaster [at] smtp-out thats what SPF recommends already
>
>That validates the HELO SPF *identity*. I am not talking about that.
>If one wants to use the HELO name as a substitute PTR name as I proposed
>(for validating the MAIL FROM identity), it is "validated" the same as a
>DNS PTR record.
>
>Apart from those missing the point, the main argument against the
>proposal is that it isn't needed because the MTAs could be authorized
>(for MAIL FROM - we are not talking about the HELO identity) by
>a list of IP4 or A mechanisms. The very senders (like me) who might want
>to use HELO as a PTR, are going to have few MTAs - certainly less than 100 in
>fact. Any more, and they will have 256 IP blocks and have no trouble setting
>PTR records. In fact, more than 32 IPs, and there will probably be
>enough money flowing to the ISP, that they will be more likely to
>respond to PTR requests, or provide an automated interface.
>
>So the worst case is 100 MTAs in a /25 block - which should probably
>be listed with an IP4:1.2.3.4/25. But, for those missing the point,
>an example might help:
>
>A small email admin has 12 MTAs on 4 /29 networks in 4 cities. He doesn't
want
>to have a big SPF record listing them individually. He doesn't want to
have
>two dummy A records with 6 Ips each. They aren't the same as the incoming
>MXes. His ISP is the local cable monopoly in 4 cities, and getting their
DNS
>flunkies to update the PTR records in a timely and accurate manner is not
>feasible. So, he establishes a naming convention: m1.smtp.example.com to
>m12.smtp.example.com and uses those for HELO on the 12 MTAs. He then
creates
>an SPFv3 record as
>
>example.com IN SPF "v=spf3.14 helo:smtp.example.com -all"
>
>This authorizes example.com mail from the MTAs in all four cities.
>
>When checking that SPF record, receivers lookup the A or AAAA RR for the HELO
>name, and if there is an IP matching the connect IP, it is "validated",
>otherwise (i.e. the HELO is syntactically invalid or there is no A or AAAA
>RR) the HELO fails to match. If the HELO name is valid, the HELO mechanism
>matches if the name ends with the same labels as the argument - analogous
>to the PTR mechanism.
>
>I use helo:%{d} now for bestguess. Those talking about "admin relationships"
>are completely missing the point. I couldn't care less about admin
>relationships among spammers. When I get an email with a best guess
>SPF pass like this:
>
>2009Jul14 10:32:47 [5519] Received-SPF: None (mail.bmsi.com: 64.16.195.145
is neither permitted nor denied by domain of headvillage.com)
client-ip=64.16.195.145; envelope-from="DoggieBathroom [at] headvillage";
helo=ssl.headvillage.com; receiver=mail.bmsi.com; mechanism=a/24;
x-bestguess=pass; x-helo-spf=pass; identity=mailfrom
>
>I can hit the blacklist button for headvillage.com without any qualms.

I think that makes sense. What's not clear to me is why anything needs to
be changed in the standard to accomodate this?

Best guess is probably a good topic for additional discussion and
documentation, but I think the decision to make SPF strictly opt-in and not
include it in the RFC was and is the right one.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Jul 14, 2009, 8:32 AM

Post #3 of 7 (1574 views)
Permalink

Re: Proposed helo mechanism example [In reply to]

you i think are missing the point the way this would be archived properly

if you wanted to go the mad route of defining legit sending ip's via their helo is

"v=spf1 include:%{h4r}.smtp.example.com -all"

and ensure the spf for each xx.smtp.example.com is
"v=spf1 A -all"

thus it will pass if helo=one of yours and connecting ip is pointed to by that helo's A

but as we are all trying to tell you if you have more than 1 mail host you are very unlikely to only send from the one domain

this way at least any envelope-domain could list the servers in question ie

example1.com and example2.com and example.com are yours
you could still use
"v=spf1 include:%{h4r}.smtp.example.com -all" in all three to allow to be sent from xx.smtp.example.com if validated

as i have repeatedly mentioned this will not get you round anyones checking for valid ptr {as its unconnected to spf}
{as far as the spf ptr: method i have yet to see any clue full organisations choose to use it}
as SPF is about limiting {as much as humanly possible, the ip's which will pass to only those needing it}

At 15:53 14/07/2009 Tuesday, Stuart D. Gathman wrote:
>On Tue, 14 Jul 2009, alan wrote:
>
>> the helo is validated by testing the for an spf for
>> postmaster [at] smtp-out thats what SPF recommends already
>
>That validates the HELO SPF *identity*. I am not talking about that.
>If one wants to use the HELO name as a substitute PTR name as I proposed
>(for validating the MAIL FROM identity), it is "validated" the same as a
>DNS PTR record.
>
>Apart from those missing the point, the main argument against the
>proposal is that it isn't needed because the MTAs could be authorized
>(for MAIL FROM - we are not talking about the HELO identity) by
>a list of IP4 or A mechanisms. The very senders (like me) who might want
>to use HELO as a PTR, are going to have few MTAs - certainly less than 100 in
>fact. Any more, and they will have 256 IP blocks and have no trouble setting
>PTR records. In fact, more than 32 IPs, and there will probably be
>enough money flowing to the ISP, that they will be more likely to
>respond to PTR requests, or provide an automated interface.
>
>So the worst case is 100 MTAs in a /25 block - which should probably
>be listed with an IP4:1.2.3.4/25. But, for those missing the point,
>an example might help:
>
>A small email admin has 12 MTAs on 4 /29 networks in 4 cities. He doesn't want
>to have a big SPF record listing them individually. He doesn't want to have
>two dummy A records with 6 Ips each. They aren't the same as the incoming
>MXes. His ISP is the local cable monopoly in 4 cities, and getting their DNS
>flunkies to update the PTR records in a timely and accurate manner is not
>feasible. So, he establishes a naming convention: m1.smtp.example.com to
>m12.smtp.example.com and uses those for HELO on the 12 MTAs. He then creates
>an SPFv3 record as
>
>example.com IN SPF "v=spf3.14 helo:smtp.example.com -all"
>
>This authorizes example.com mail from the MTAs in all four cities.
>
>When checking that SPF record, receivers lookup the A or AAAA RR for the HELO
>name, and if there is an IP matching the connect IP, it is "validated",
>otherwise (i.e. the HELO is syntactically invalid or there is no A or AAAA
>RR) the HELO fails to match. If the HELO name is valid, the HELO mechanism
>matches if the name ends with the same labels as the argument - analogous
>to the PTR mechanism.
>
>I use helo:%{d} now for bestguess. Those talking about "admin relationships"
>are completely missing the point. I couldn't care less about admin
>relationships among spammers. When I get an email with a best guess
>SPF pass like this:
>
>2009Jul14 10:32:47 [5519] Received-SPF: None (mail.bmsi.com: 64.16.195.145 is neither permitted nor denied by domain of headvillage.com) client-ip=64.16.195.145; envelope-from="DoggieBathroom [at] headvillage"; helo=ssl.headvillage.com; receiver=mail.bmsi.com; mechanism=a/24; x-bestguess=pass; x-helo-spf=pass; identity=mailfrom
>
>I can hit the blacklist button for headvillage.com without any qualms.
>
>--
> Stuart D. Gathman <stuart [at] bmsi>
> Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
>"Confutatis maledictis, flammis acribus addictis" - background song for
>a Microsoft sponsored "Where do you want to go from here?" commercial.
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/735/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/735/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

stuart at bmsi

Jul 14, 2009, 5:53 PM

Post #4 of 7 (1569 views)
Permalink

Re: Proposed helo mechanism example [In reply to]

On Tue, 14 Jul 2009, alan wrote:

> you i think are missing the point the way this would be archived properly
>
> if you wanted to go the mad route of defining legit sending ip's via their helo is
>
> "v=spf1 include:%{h4r}.smtp.example.com -all"

That doesn't validate the HELO name.

> and ensure the spf for each xx.smtp.example.com is
> "v=spf1 A -all"

You are confusing the HELO and MAIL FROM identities.

> as i have repeatedly mentioned this will not get you round anyones checking
> for valid ptr {as its unconnected to spf} {as far as the spf ptr: method i

That is a fair point. I am not pushing a helo mechanism anymore, just
reponding to comments that seem to miss the function. It would still
be a "nice to have" in addition to PTR, but if you don't like PTR,
you won't like HELO either as an SPF3 mechanism (since it is just
a PTR delivered via SMTP HELO).

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

stuart at bmsi

Jul 14, 2009, 6:01 PM

Post #5 of 7 (1565 views)
Permalink

Re: Proposed helo mechanism example [In reply to]

On Tue, 14 Jul 2009, Scott Kitterman wrote:

> I think that makes sense. What's not clear to me is why anything needs to
> be changed in the standard to accomodate [best guess]?

It doesn't. That was a response to the general objection to best guess.

The proposed HELO mechanism isn't absolutely necessary - it could
be replaced by A mechanisms listing multiple IPs, and IP4 net blocks.
When there are enough disconnected mail senders to make those impractical, the
ISP contracts are probably big enough to make PTR RRs reliable.

It is a "nice to have" way of listing MTAs by naming convention without
reliable access to maintaining PTR RRs.

It is *not* replaced by the attempts to use %{h} in various incarnations -
Those people don't "get" it yet.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Jul 14, 2009, 6:17 PM

Post #6 of 7 (1571 views)
Permalink

Re: Proposed helo mechanism example [In reply to]

At 01:53 15/07/2009 Wednesday, Stuart D. Gathman wrote:
>On Tue, 14 Jul 2009, alan wrote:
>
>> you i think are missing the point the way this would be archived properly
>>
>> if you wanted to go the mad route of defining legit sending ip's via their helo is
>>
>> "v=spf1 include:%{h4r}.smtp.example.com -all"
>
>That doesn't validate the HELO name.
>
>> and ensure the spf for each xx.smtp.example.com is
>> "v=spf1 A -all"
>
>You are confusing the HELO and MAIL FROM identities.

no i'm not this is the second identically functional equivalent to your HELO within spf syntax

show me one possible exception that would pass this rule and fail yours {or vice versa}

if you can't then admit the fact the two i have sent {though the latter}
v=spf1 a:{h4r}.smtp.example.com -all

is much more compact and simple to achieve identical results

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

stuart at bmsi

Jul 15, 2009, 11:27 AM

Post #7 of 7 (1560 views)
Permalink

Re: Proposed helo mechanism example [In reply to]

On Wed, 15 Jul 2009, alan wrote:

> show me one possible exception that would pass this rule and fail yours {or
> vice versa}
>
> if you can't then admit the fact the two i have sent {though the latter}
> v=spf1 a:{h4r}.smtp.example.com -all
>
> is much more compact and simple to achieve identical results

I think you are right. The above does not validate HELO, but achieves
pass/fail in the desired situations, which is good enough for the
purpose of validating MTAs by HELO naming convention.

Ok, so can the proposed HELO mechanism. While I can come up with
scenarios where that trick won't work, they would be rather contrived.

I'll go back to proposing a "not" prefix for mechanisms so I don't have
to use convoluted -include:... constructs.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads