|
Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges...
2011-01-24 13:52:44
On 1/22/11 5:51 PM, David Nicol wrote:
On Fri, Jan 21, 2011 at 10:29 PM, John Levine<johnl(_at_)taugh(_dot_)com>
wrote:
How would one represent "e-mail may appear from sources appearing in
this whitelist" in an SPF record, with your b-tree proposal?
Popularize the b-tree protocol, then have a way to refer to it
included in SPFv3?
There was general consensus at MAAWG, SPF does not serve as a basis for
mitigating spam. Use of SPF was limited to determining which reputation
services currently list an SPF authorized IP address when handling
complaints, or whether the authorized IP address can be included in
feedback. This expects SPF records will resolve specific IP addresses.
This is not necessarily true, nor is it always safe to assume a domain
controls the authorized IP addresses.
When SMTP Authentication becomes possible with DANE resource records,
this will remove a need to collect sets of DNS resource records
representing both authorized v4 and v6 IP addresses. Many records sets
that only list v4 already have reached their "mechanism" limits. DANE
based authentication would provide a safer basis for directing feedback
as well. Unfortunately, it is not practical to list all possible v6
addresses or domain names that might instigate abuse. Defensive
strategies must develop a generous list of "conforming" domains instead.
Since billions of new domains are used every day by malefactors, neither
the possession of a domain, nor a v6 IP address, offers a safe basis for
acceptance when screened with negative reputations unable to keep pace.
Efforts that attempt to relate domains to IP addresses seen by targets
to confirm legitimate use of a domain are also likely to prove
problematic, which leaves cryptographic authentication. In addition, SPF
may support a denial of service attack with its processing of encoded
macros based upon email address local-parts.
Cryptographic authentication will not threaten DNS, and when based upon
"conforming" domains, is unlikely to serve as a denial of service
mechanism. Of course, DNS already handles domain names effectively
without a need to redesign the query mechanism to obtain which domains
"conform" to rules of reasonable behavior. It is also likely there will
be a need to authorize other domains to better ensure acceptance of
third-party transactions.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., David Nicol
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., John Levine
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., David Nicol
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., John Levine
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., David Nicol
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., John Levine
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges...,
Douglas Otis <=
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., Dotzero
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., Douglas Otis
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., Dotzero
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., Paul Ferguson
- Re: [Asrg] into the woods, John Levine
- Re: [Asrg] into the woods, Alessandro Vesely
- Re: [Asrg] into the woods, Dotzero
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., Dotzero
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., Rich Kulawiec
- Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges..., Douglas Otis
|
|
|