On 6 Dec 2012, at 16:21, John Levine wrote:
In article
<CAFduganiaDkf0jFsV7FYcAvi9JjA9G-iTj8XLVzcDNY=jo_m=w(_at_)mail(_dot_)gmail(_dot_)com>
you write:
here is the proof of concept ! an email sent to John Levine claiming
to be from ygii-john(_at_)www(_dot_)johnlevine(_dot_)com !!!
Life is too short to publish SPF -all records for every host name that
doesn't send mail.
Well, not really. It's not 1999: no one competent and sane manages zones
of non-trivial size or significance by editing canonical-format zone
files in a 24x80 text editor. As a matter of standard practice, many
domains have long been managed with an awareness that the MX/A issue
creates problems which are mitigated by never creating an A record
without also creating an MX, with non-mailing hosts getting MX records
that are easily detected as a declaration of that status. This is useful
because there are spam exclusion tactics which detect such declarations
and so reject spoofed addresses. It is a simple matter with many (most?)
modern MTA's to reject mail in SMTP before DATA if the sender domain has
a bogus MX record. The cleanest form of bogosity is the "nullmx"
approach proposed and used by Yahoo, but it is also useful for receivers
to detect MX records pointing to names without A records or with A
records pointing to unusable addresses (i.e. permanently reserved
and/or otherwise special address ranges.) If a domain owner is already
publishing SPF for mailing names (where it can be problematic) and
already publishing anti-functional MX records, they should have no
problem with publishing SPF records as well for their non-mailing names.
There is a nuisance cost in doing this sort of thing for mid-sized
domains which have long been able to function managing their DNS in ad
hoc ways, but that condition is pretty much doomed anyway by IPv6 and
DNSSEC. We all are destined for needing to think more and more carefully
about DNS.
I should add that I don't think this issue is significant in the big
picture of spam control and it certainly isn't news with respect to SPF.
The days of hope for SPF as the FUSSP are long gone. Even with DMARC we
will never have a world where SPF plays a primary role in sender
authentication and repudiation. SPF has a few narrow applications where
it is very useful, but anyone hoping for it to be the fix for all sender
spoofing ought to have been disillusioned by real world experience some
years ago.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg