We are missing an opportunity if we do not include the HELO name along with the IP address in the aggregate reports. I would also recommend asking for fcDNS status (confirmed, not confirmed, not tested).
The report receiver could do the fcDNS check himself, but there is a possibility that the results will be different if tested from a different geography at a later point in time. 1) HELO will often produce fcDNS confirmed, and it is often an accurate clue to the server owner even when it is not confirmed. Once you know the server owner, you can reliable correlations across all IPs used by that organization. 2) Despite what might be assumed, the HELO name does not change very often, even for spam sources. If and when the name does change, you still learn valuable data. Three possibilities come to mind: a) The IP ownership has changed so the IP reputation needs to be re-evaluated. b) The source is playing name games so the IP reputation should be mistrusted further. c) The source is behind a shared V6-to-V4 gateway, so reputation needs to be based entierely on HELO instead of IP.. And as a side benefit, we can ask for this information without causing any further disaggregation. Doug Foster
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
