On 6/1/06, Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org> wrote:
Would Google or Yahoo be able to verify to example.com
that Joe Blow is authorized to send out email as joeblow(_at_)yahoo(_dot_)com or
joeblow(_at_)gmail(_dot_)com when sending email from example.com? Manual
confirmation doesn't scale. Automating it opens up the potential for
address harvesting.
spf plus a databse-based DNS can solve this. joeblow registers with
yahoo's complex spf engine that he sometimes sends his mail from example.com,
and the receiving MTA hits a macro section in yahoo's spf record that
indicates how to build an A-record query to ask if he uses example.com
and the receiving MTA does the A-record lookup and bases the authorization
result on the result of the second DNS lookup, which looks something like
example.com.isgoodnamedsourcefor.joeblow.morespf.yahoo.com
SPF classic provides macros for exactly this purpose; there is very
little potential
for harvesting without guessing; statistical techniques currently used to deny
access to guessers can be re-used to protect the dns service.
If guessing would be of any use at all, since you would need to guess
the user-part in
association with a non-standard relay that that user uses, in order to
get a useful
result from a guess.
morespf.yahoo.com would NOT provide zone transfers to the general public,
for instance.
--
David L Nicol
"fans of liza minelli should always be
disconnected immediately" -- Matthew Henry at Voxeo
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg