I'm not sure if this is in the RFC, but it would be a lot more accurate if you could compare the HELO to the SPF data. Some scripts to also falsify the HELO, but no where near the number of forged domains in MAILFROM.
The original design for SPF allowed for that, but the current one does not. I'm not sure why that was changed.
This is kind of a response to all the follow ups this morning. I can't afford to use this test on the majority of my domains because I can't currently make use of WHITELIST AUTH, and I have enough customers that use third-party outgoing mail servers for one reason or another that this would cause issues there as well. I was already debating what to do with a spamdomains variant that was coded for local domains, and I was only scoring that at 20% of my fail weight. I could remove that test and replace it with SPF scored at 20%, however the effects of the SPF would carry over to other sources that would potentially have problems and over which I would have no control over. There is some potential with this as a negative weight test, however once the spammers catch on, the value would be diminished greatly, and of course legit mail servers are sources of spam, just not as often as the illegitimate ones, and I don't see the need to credit senders based only on the fact that they matched their SPF records. IPNOTINMX already does most of this as a dumb test, and I only give that 1 point of credit anyway. Considering these issues, I don't see why I should push something forward with such a flaw.
I would however reevaluate the idea if it was modified to work on HELO instead of MAILFROM, though that would require some monitoring as there are always unexpected results. I hope that this can become a tool, and I'm all for the idea of supporting innovation by adding my own records to the mix, but I'm not convinced that this will help in it's current format. I don't believe you can verify the sender any more reliably than we already are with SMTP, and efforts should instead be focused on verifying the server.
I'm very sorry to have not liked either this effort or the Web-O-Trust thing, and I don't want to sound like I'm just being critical for the sake of it (though sometimes I am overly critical), but I feel that it is constructive for me to say this if for no other reason than to warn others about the potential of issues, but hopefully rather to influence the process for the better. I'm sure there are others around here that feel the same way, but choose not to voice their opinions out of fear of insulting someone else...or maybe I'm just whacked :)
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
