Douglas Otis wrote:
Ten or eleven SPF records can be chained, where each set may contain
10 mechanisms
10 chained records => 10 "include" or "redirect" => limit of 10 reached.
The next contained mechanism - anything more elaborated than an "ip4",
"ip6", or "all" - results in a PermError.
each mechanism may then invoke up to 10 additional DNS transactions
The two mechanisms doing that are "ptr" and "mx", and "ptr" depends on
the IP of the SMTP client. That leaves "mx" as the only mechanism for
this consideration.
Each name resolved using SPF may target a victim not seen anywhere
within the message with 100 DNS transactions.
The attacker can construct a policy with 10 "mx" mechanisms, with 10
fabricated names per MX in the attacked domain. The attacker won't
send the IPs of those names in the q=mx reply by his name server, so
that results in 100 queries to the name server of the attacked domain.
After that the SMTP server in question has these 100 answers cached.
Frank
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html