spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Just an idea

2003-11-30 11:51:13
from [Mark] [Permanent Link] 
You know, I've been thinking some more on the trusted-forwarders
whitelisting. :)

Now I could do a query like this:

"exists:%{p}.wl.trusted-forwarder.org"

But it occured to me, that such a list would, rather soon, become quite
extensive; especially if it plans on keeping record, exhaustively, of all
whitelisted mx records, and such, of its whtelisted domains. So that what
you really want, actually, is to be able to add a mechanism to the query;
for instance, like so:

"exists:(mx):%{p}.wl.trusted-forwarder.org"

[Note: keeping the mechs in () because the "mx:" notation etc. could prove
ambiguous]

Sticking to the "ebay.com" example, %{p} would expand to "ebay.com", and
just 1 query would be made for:

ebay.com.wl.trusted-forwarder.org

Should that single query to the global whitelist return "exists"
(127.0.0.2), the mechanism (if any) would be applied, locally (!), and, in
this case, ebay.com would be queried for its mx records. Should one of them
be our connecting IP address, we consider that address whitelisted.

The advantages, of course, would be several:

1): The global whitelist is hit by only 1 query.

2): Instead of having to pre-emptively guess what people will query, and
thus whitelist the results of a whole set of expanded mechanisms for a
domain (like ptr, a, mx, etc), the global whitelist would only keep the one
domain name, and leave the further expansion into all possible mechs over to
preference, and scope, of the local user.

3): The whitelist would not have to concern itself with IP changes; and, in
fact, ALWAYS be up to date, as it would only list the domain name, whereas
the one making the query does the live mx, ptr, a, query.

The one making the whitelist query could combine things too, like so:

"exists:(mx ptr a):%{p}.wl.trusted-forwarder.org"

Which would consider all mx, ptr, and a records of domain %{p} whitelisted.
Or just keep the query "as is":

"exists:%{p}.wl.trusted-forwarder.org"

Which would just do the straight lookup.

Anyway, just an idea.

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Just an idea, Mark <=
Previous by Date:  Re: IPv6 slashes, Meng Weng Wong
Next by Date:  SHOULD (NOT) SPF-compliants MTAs send bounces?, Rob Kaper
Previous by Thread:  PTR records that do not have forward mappings, Philip Gladstone
Next by Thread:  SHOULD (NOT) SPF-compliants MTAs send bounces?, Rob Kaper
Indexes:  [Date] [Thread] [Top] [All Lists]