Re: Trouble with Sender Authentication

Douglas Otis wrote:
> On Nov 7, 2006, at 12:02 PM, Julian Mehnle wrote:
> > > What is your view about forcing use of different scripts?
> > I don't understand what you're suggesting here.  What do you mean
> > by "forcing use of different scripts"?
> Obsoleting existing libraries and related scripts as needed due to
> the DDoS potential.
The SPF project isn't convinced just yet that there is significant 
potential for a DoS attack, and if there's any, how real it is, so any 
statements on consequences would be hypothetical at this time.  But trust 
us, we are taking this seriously.  However, we consider it unlikely that 
obsoleting v=spf1 and the existing libraries would be necessary to 
mitigate any serious DoS potential.  Tightening the limits, perhaps.

The problem with your analysis, Doug, is that (1) it attributes several 
attack vectors to SPF which are really orthogonal, like SMTP's multi- 
recipient feature or the use of many compromised systems for sending mail, 
and (2) with a high probability it overrates both the negative effects 
(like the victim/attacker traffic ratio) of an attack staged as described, 
and the net incentive for doing so in the first place.

We are currently investigating the issue further, so expect a thorough 
analysis from us within the coming weeks.

pgphowL8rVDj0.pgp
Description: PGP signature