On Mon, Jun 22, 2009 at 3:05 PM, Douglas Otis<dotis(_at_)mail-abuse(_dot_)org>
wrote:
On Jun 22, 2009, at 7:12 AM, Ian Eiloart wrote:
--On 21 June 2009 23:34:16 -0700 Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org>
wrote:
SPF does not work well at resolving a domain that should be held
accountable for a few reasons-
a) risks high and impractical transaction overheads at attempts to
indirectly reference the customers of a provider.
Er, we already have ridiculous transaction overheads for email. Anything
that stopped spam would reduce the transaction overheads for legitimate
email by up to ten fold.
Only the application of reputation and address range policies reduces spam
levels. Not using SPF and instead using CSV will reduce the transaction
overhead needed to validate an associated domain. SPF often requires
several transactions, that may exceed several hundred transactions where 111
could be generated by PRAs and then another 111 for the Mail-From. The
high overhead problem of SPF can be made worse when the SPF records contain
macros. Using SPF macros, bad actors can cause recipients to generate a
long series of different DNS transactions based upon portions of an
email-address local-part, for example. This enables a free DDoS attack
while spamming, since SPF macros can make DNS caching ineffective.
Doug,
I'd take your discussions of SPF more seriously if you would stop
conflating SPF and Sender-ID. They are two different animals. SPF (the
specification) does not include anything called PRA. Sender-ID
includes the concept of PRA. PRA is broken in the spec so there isn't
any purpose in spending time discussing it. All one needs to do is
look at the paragraph that states that if a sender field exists you
set the PRA to that. This bypasses any SPF record published for the
Mail From (envelope sender) domain. End of discussion.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg