On Fri, 21 Nov 2003, Dan Boresjo wrote:
On Friday 21 November 2003 5:58 pm, spf(_at_)jdl(_dot_)com wrote:
So, I was pondering how the proposed HTTP mechanism might
be abused too. Anyone thought through that one yet?
What if two different publishers of web content on virtual
hosts ended up "competing" for the content of that file on
the one real server? Would it be possible for a spammer
published "accept all" records to some website?
The GET request would always include the name of the domain being queried, eg:
GET http://mydomain.com HTTP/1.1
-or-
GET http://www.mydomain.com HTTP/1.1
So the mydomain.com virtual host publisher has control. Another virtual host,
say 'www.spamdomain.com' would only be queried for 'spamdomain.com'. Hence
the issue of competition between virtual hosts never arises.
HTTP 1.1 has the 'Host: ' header for exactly that reason - the syntax you
sugest is already in use for web proxies.
Personaly if we're going use more that one underlying protocol for SPF then
the non-dns protocol should be SMTP, as someone else proviously proposed (i
can't find the mail now, and the SPF mailing list archives arn't linked to
on the website, so google hasn't found them, so doing a site: search dosn't
work, afaict the only way yo find where the archives are is to subscribe to
the list, it would be nice if there was a link up :) ).
--
[http://pointless.net/] [0x2ECA0975]
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.6.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡