Date:        15 Aug 2003 14:45:55 -0700
    From:        wolfgang+gnus20030815T141901@wsrcc.com (Wolfgang S. Rupprecht)
    Message-ID:  <x7isoyioh8.fsf@capsicum.wsrcc.com>

  |         connection from [1.2.3.4]
  |         rDNS lookup yields name foo.example.com
  |         DNS verification of foo.example.com yields one IP address, 
  |                 [5.6.7.8].  (Note this address is NOT the address 
  |                 from step #1.  We have a very clear forgery.)

No you don't.   All you have is an indication that the address that
you're directed to in order to reach 5.6.7.8 is not the one that it
is using to reach you.   There is absolutely nothing incorrect about
that.

A forgery happens only when (in this kind of context) a name is used
without authorisation - if 1.2.3.4 is authorised to say that it is
foo.example.com then there is no forgery.

That this makes it harder to trivially detect forgeries is clear,
but it doesn't make it any less true.    This is also why the mail
standards say that you're not allowed to reject mail based upon
some mis-conceived notion about what is given in the HELO (EHLO)
command not being correct.

kre