On Thu, 2006-06-01 at 19:05 -0500, David Nicol wrote:
On 6/1/06, Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org> wrote:
Would Google or Yahoo be able to verify to example.com
that Joe Blow is authorized to send out email as
joeblow(_at_)yahoo(_dot_)com or
joeblow(_at_)gmail(_dot_)com when sending email from example.com? Manual
confirmation doesn't scale. Automating it opens up the potential for
address harvesting.
spf plus a databse-based DNS can solve this.
SPF represents a highly dangerous scheme with respect to packet
amplification threats. Synthesizing perhaps large amounts of data with
trick DNS servers for localpart SPF records continues to overlook
significant security concerns.
joeblow registers with
yahoo's complex spf engine that he sometimes sends his mail from example.com,
and the receiving MTA hits a macro section in yahoo's spf record that
indicates how to build an A-record query to ask if he uses example.com
and the receiving MTA does the A-record lookup and bases the authorization
result on the result of the second DNS lookup, which looks something like
example.com.isgoodnamedsourcefor.joeblow.morespf.yahoo.com
SPF classic provides macros for exactly this purpose; there is very
little potential for harvesting without guessing; statistical
techniques currently used to deny access to guessers can be re-used to
protect the dns service.
More modifications to DNS? Fortunately yahoo does not implement SPF.
Macros within SPF for qualifying user space remain highly prone to
harvesting without some type of blocking. This blocking would however
be highly prone to DoS exploits. In short, it will not work.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg