Thanks Sandy, interesting response, it got me thinking a bit wouldnt the spammer/attacker need to have delegated authority over the source ip address space and control of DNS infrastructure to forge a PTR record? I have been doing this a while and I dont recall ever seeing a message whitelisted due to forged revdns, I use revdns for whitelisting heavily.
Also to the point of Ben's query, your solution is a good one, didnt pick up on that one... I guess I didnt consider the possibility of a targeted attack on an email admin list from the hosting anti-spam/virus vendor's domain when I suggested using the revdns, although it would be kinda funny. lol -- Rick -----Original Message----- From: Sanford Whiteman [mailto:sa...@cypressintegrated.com] Sent: Sunday, June 19, 2011 2:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] white list or positive weight for a specific To address? > Why not use the HELO or REVDNS? REVDNS is going to be the safest > because of the difficulty in forging it Not always... if the domain has a hard-fail SPF record that isn't *itself* dependent on forgeable records (only uses IPs and forward DNS entries), then the MAILFROM can't successfully impersonate the protected domain (the envelope sender can still be trivially crafted, of course, but the mail will be rejected). However, in the case under discussion, declude.com's SPF record depends on the forgeable PTR, so in this case the SPF isn't any stronger protection than REVDNS itself. I would hesitate to say that there's any "difficulty" forging the PTR as part of a targeted attack. @ Ben, the MAILFROM for list messages uses the format declude.junkmail-your_verp...@declude.com, so there is a consistent SMTP (RFC 821) emvelope sender to filter on. -- Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response.--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.