Milter-greylist

On 2013-08-12 09:30, Emmanuel Dreyfus wrote:
> On Mon, Aug 12, 2013 at 09:14:08AM +0200, Jim Klimov wrote:
>> So, this multiple DNS PTR is possible in theory, happens in practice,
>
> Do we want to take care of all SPF corner cases? That defense is
> already weak, I am not sure it is worth investing on it.

This would not be even SPF defense, but rather classic (though IMHO
not yet obsolete) "DNS Sanity Check" - that the registered "reverse"
(PTR) and "forward" (A) entries for the connecting IP address match
(according to some definition of "match" - are identical, are in same
textual 2/3-level domain, etc.) A further check would be to involve
the HELO name comparison into this as well.

This all established relative validity of the sending host itself -
that it is properly administered by people with access to relevant
forward and reverse DNS zones. Over a decade I had about 5 or so
valid senders who had not any control over their reverse DNS (such
as having a "dial-up" consumer address, though static over time)
and did need to communicate with our domains, so they got into our
white-lists. Nowadays such hosts are accepted via SPF, if that is
set up properly for their domains; and other "forged" sources might
fall into a lengthy greylist (if logic to detect them does appear).

The envelope/email FROM domain does not come into consideration for
DNS forgery tests, unlike SPF, since one host with its (ideally one)
domain name all-around can be a relay for dozens of different hosted
domains.

//Jim Klimov