ietf-mxcomp
[Top] [All Lists]

Re: Trouble with Sender Authentication

2006-11-10 10:42:27

On 10 Nov 2006, John Levine wrote:

I do agree that the DNS threat from SPF is not qualitatively worse
than what we already put up with for CNAMEs.

Actually, the top candidates for DNS amplification abuse are large SPF
records, followed by large collections IN-ADDR records for a single IP,
as is the case for large virtual hosting sites.  Both practices are
advocated by anti-spammers.

I recently saw a ~4k byte SPF record, published by an anti-spam site.  
DNSSEC signed SPF records will probably break the 8K limit.

Thats about a 90 to 1 amplification factor.

You can get some amplification with any record type.  You can only get
the high amplification with certain types and certain practices.

                --Dean



-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   


<Prev in Thread] Current Thread [Next in Thread>