On Thu, Jun 24, 2004 at 04:41:14PM +0100, Roy Badami wrote:
|
| Meng> antispam engines. Factored records which require a new
| Meng> lookup for every cache negative are, in their world, not
| Meng> lightweight by comparison.
|
| But, AIUI, CSV in it's current incarnation involves doing an SRV
| lookup on the domain name; how is this more heavyweight than doing a
| TXT lookup. CSV looks just as cacheable to me as SPF, but uses more
| compact records...
|
I was mainly comparing cache negatives.
Scenario: 5 spams that all say MAIL FROM:<forgery(_at_)aol(_dot_)com>
Let each spam come from a different IP.
client ip factored query block query
--------- -------------------------- ---------------
192.0.2.1 lookup(aol.com, 192.0.2.1) lookup(aol.com)
192.0.2.2 lookup(aol.com, 192.0.2.2) cached
192.0.2.3 lookup(aol.com, 192.0.2.3) cached
192.0.2.4 lookup(aol.com, 192.0.2.4) cached
192.0.2.5 lookup(aol.com, 192.0.2.5) cached
In this scenario, factored queries do not benefit from
local DNS caching.
So, the theory is: a spam run against a single receiver
domain may originate from X distinct IPs.
That spam run may forge Y distinct domain names.
If X >> Y, a block format is better than factored.
If Y >> X, block and factored formats are equivalent within
one order of magnitude.
Scenarios in which factored formats beat block formats hands
down tend to be contrived.
The current threat model is lots of zombies, hence lots of
IPs. True, there's nothing to stop them from forging lots
of domains, too. That's where the MTAMark design proves
useful --- it scales well, because only one network owner
has to add records.