Douglas Otis wrote:
On Nov 7, 2006, at 12:02 PM, Julian Mehnle wrote:
What is your view about forcing use of different scripts?
I don't understand what you're suggesting here. What do you mean
by "forcing use of different scripts"?
Obsoleting existing libraries and related scripts as needed due to
the DDoS potential.
The SPF project isn't convinced just yet that there is significant
potential for a DoS attack, and if there's any, how real it is, so any
statements on consequences would be hypothetical at this time. But trust
us, we are taking this seriously. However, we consider it unlikely that
obsoleting v=spf1 and the existing libraries would be necessary to
mitigate any serious DoS potential. Tightening the limits, perhaps.
The problem with your analysis, Doug, is that (1) it attributes several
attack vectors to SPF which are really orthogonal, like SMTP's multi-
recipient feature or the use of many compromised systems for sending mail,
and (2) with a high probability it overrates both the negative effects
(like the victim/attacker traffic ratio) of an attack staged as described,
and the net incentive for doing so in the first place.
We are currently investigating the issue further, so expect a thorough
analysis from us within the coming weeks.
pgphowL8rVDj0.pgp
Description: PGP signature