On Friday 21 November 2003 5:58 pm, spf(_at_)jdl(_dot_)com wrote:
So, I was pondering how the proposed HTTP mechanism might
be abused too. Anyone thought through that one yet?
What if two different publishers of web content on virtual
hosts ended up "competing" for the content of that file on
the one real server? Would it be possible for a spammer
published "accept all" records to some website?
The GET request would always include the name of the domain being queried, eg:
GET http://mydomain.com HTTP/1.1
-or-
GET http://www.mydomain.com HTTP/1.1
So the mydomain.com virtual host publisher has control. Another virtual host,
say 'www.spamdomain.com' would only be queried for 'spamdomain.com'. Hence
the issue of competition between virtual hosts never arises.
The domain's DNS administrator can prevent the a webmaster having any say
about SPF by creating a proper SPF TXT record in the first place.
Spammers can publish 'accept all' records for their own domains irrespective
of whether DNS or HTTP lookups are used. SPF is and should remain a SMTP
message repudiation mechanism - one which just happens to be a very useful
component in an overall anti-spam strategy.
- Dan
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.6.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡