John Levine recently replaced Paul Judge as co-chair of ASRG.
Here is what he said recently.
On Fri, Nov 21, 2003 at 02:52:29PM -0500, John R Levine wrote:
|
| ASRG is currently thinking that it'll encourage all three SPFish
| authors to finish a spec and let Alan DeKok write a shared overview of
| the three approaches without specfic reference to any of them. At
| this point I don't see any of them as uniformly better than the other
| two.
|
| Having recently looked at all three proposals, I would opine that RMX
| sucks because the responses for large domains will be too big for a
| UDP DNS packet, and providing the full set of valid source IPs invites
| an attack where the bad guy scans the range looking for compromised or
| compromisable domains and if he has one, he blasts away. SPF sucks
| for the reasons RMX does, and in addition it overloads TXT records and
| requires a complex parser for the TXT data that I don't know how I'd
| validate or test for security holes that will crash MTAs. (Test #1 is
| to feed it TXT records full of garbage and watch the MTA crash like
| parsers fed garbage always do. Test #2 is to set up a hostile domain
| where the SPF record for N.hostile.com includes the data for
| N+1.hostile.com for a large range of N and see if the parser recurses
| to death.) DMP sucks because it overloads A records, can require
| whole lot of records for large domains, alleviated somewhat by
| wildcards and BIND "generate" statements, and creates new reserved
| namespace. (Oh, wait, I guess SPF does that, too.) All three suck
| because they break pobox-style mail forwarding unless the forwarder
| does VERP-ish return path rewriting which I can tell you from
| experience with abuse.net is a pain in the butt in practice.
|
| Personally, of the three I prefer DMP because it's easiest to use in a
| receipient MTA and avoids the scanning attack, but reasonable people
| can differ. We won't really know how they work in practice until
| there's real life trials of all three and can compare some data on how
| hard they are to set up, how expensive to use, how much spam they
| deter, and how much real mail they break.
|
| Regards,
| John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
| Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer
Commissioner
| "I dropped the toothpaste", said Tom, crestfallenly.
SPF sucks for all the reasons DMP sucks, plus all the reasons RMX sucks.
Obviously, SPF will win!
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.6.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡