[RFCI-Discuss] DSN listing of secureserver.net

Sat Oct 28 05:54:05 EDT 2006

On 10/25/06, Alan Brown <alanb at digistar.com> wrote:
> On Tue, 24 Oct 2006, T wrote:
>
> > For the record, a lot of SPF configurations don't realize that HELO do
> > matter in th case of null <> sends and that "brain dead" behavior is
> > actually probably per spec and totally correct.
>
> Which raises the issue that RFC 821/822 stats that HELOs need not bear
> any relationship to the actual hostname - as long as they're
> syntactically valid.

Well, yes, it doesn't NEED any relationship, but in spirit it does and
it would be better if it did.

That's why I was annoyed with hotmails use of HOTMAIL.COM for their
billion servers...  they could do whatever they want and it would be
acceptible (not necessarily ok).  I was annoyed because I couldn't
even complain despite not honoring the spirit of the RFC.

> > While for the longest time, it thought it annoying that all hotmail
> > servers used "hotmail.com" in their HELOs not quite to the spirt of
> > RFCs
>
> But entirely within the meaning of them.

The reason why I might be annoyed.  If it was more than that then I
could complain or do something about it.

> The RFCs are quite clear that messages MUST NOT be rejected on the basis
> of HELO not matching the connecting hostname.
>
> >(individual servers weren't identifiable)
>
> HELOs aren't intended for individual server identification and never were.

Well, no, I think that was the original intention although never a
requirement... I'm not sure how you explain them....  I feel the spirt
of the RFC should allow that the server with the "HELO FRED" be
immediately identifiable by FREDs postmaster.

I'm not gonna look up the RFCs.  I tend to abstract them and look at
the spirt of RFC and try to determine why they were written and what
they intended... so I wouldn't care (and would actually prefer) if
hotmail used HELO 1.hotmail 2.hotmail 3.hotmail (where #.hotmail
aren't valid reverse etc hostnames) for the different hostnames for
their different servers (so while not valid hostnames they are
differentiable).  People 10 years ago would know they were different
servers and if no one, else then the hotmail staff would be able to
quickly and easily know which was the 1.hotmail and 2.hotmail etc
server that someone else referred and that would be entirely OK.

I think HELOs are two part... #1 for the postmaster of the sending
system for server identification... and that was the half the original
"spirit" of the RFC.

If you as the sender don't know what EHLO FRED and EHLO WILMA mean
then that doesn't matter... if you mail me and tell me there is a
problem with BARNEY or BETTY then I should definately know what you
are talking about -- if you say there is a problem with server
"FLINSTONE.COM" then that causes us both problems since I wouldn't
know whether you were talking about BAMBAM or PEBBLES or any of the
other servers I've mentioned.

HELOs have a purpose... imagine what that should be -- I imagine they
would either allow the sender to know who was doing the HELO (#1) or
the recipient (#2) and in the perfect world both would know.  When you
use HELO to regurgitate something you already know (the ipaddress) or
something random then there is no point in having a HELO and you are
violating any reason to have a HELO and therefore the spirit of the
RFC, otherwise you wouldn't even need a HELO.  If you specify it then
it should be needed for some reason.

The reason why I would be ok with "HELO FRED" is because the sender
postmaster would know which FRED we are talking about (assuming there
was only one not 1001 HOTMAIL.COMs)... if the sender didn't know which
"FLINSTONE.COM" we were talking about, or whether it was BETTY or
WILMA then that would be a useless unneeded HELO so why have HELOs in
RFCs in the first place.

> > The moral of this story, or of the original story (this thread) is...
> > if you have mail server, configure SPF records for you hostnames too.
>
> The amusing thing about this is that there are no valid PTR records for
> manawatu.net.nz and the envelope is never used to send mail, which is
> why I used that HELO from a machine in uk.linux.org (nothing to do with
> the MX record either)

I didn't investigate that much (or anything).  With no PTR records
then let's just reject them outright.

I actually do use HELO spf verification in my spam filters... I just
don't weight them, but they are interesting statistics and something
other people probably can't even do.  It is just interest to gauge
postmaster -- well, not postmaster, but SPF smartness.  That is why I
was complaining about most people not knowing about SPF re:
HELO/hosts.

> > The moral of the hotmail story is they can't get anything right.
>
> Hotmail has been explicitly blocked on $orkplace servers for years,
> along with Yahoo and (more recently) Gmail - due in all 3 cases to lack
> of action on emission of 419 cruft.

I don't know about $orkplace..  I realize what you say about 419
stoof, but even with some emissions, we can't block them exclusively
on those grounds.

Speaking of which, why don't I mention more stupid reasons to be
annoyed... stupid DSN generators... (I always have pleanty of things
to be annoyed at).

If you send a messages these addresses you should get corresponding
error messages...

<x-unknown at spam.tymes.net>  554 5.7.1 Rejected, Unknown User
<x-viagra at spam.tymes.net>       554 5.7.1 Rejected, I'm big enough
<x-size at spam.tymes.net>         554 5.7.1 Rejected, Message too big
<x-full at spam.tymes.net>           554 5.7.1 Rejected, Mailbox full
<x-blah at spam.tymes.net>         554 5.7.1 Rejected, blah
<x-date at spam.tymes.net>         554 5.7.1 Rejected, Bad Date }

But if you use hotmail for any of these or Microsoft exchange or a few
other stupid servers, you'll notice you get the same useless error
message for each of those addresses that don't tell you anything
except it failed... how useless are those messages?

Good reason to complain to microsoft.