spf-discuss
[Top] [All Lists]

Re: Arguments regarding "complexity"

2003-12-20 13:31:14
----- Original Message ----- 
From: "wayne" <wayne(_at_)midwestcs(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Saturday, December 20, 2003 9:01 PM
Subject: Re: [spf-discuss] Arguments regarding "complexity"

R$-.$-.$-.$-  $: $(host $4.$3.$2.$1.$f.HELO.$s._spf.domain.name. $:OK $)

I can't say that I've thought this through all the way, but this
appears to have some large holes in it that are open for possible
abuse and/or bugs. In particular, the HELO string can be almost
anything, including something that would screw up the parsing of this
domain.

That a HELO string can be forged, is not something we can blame SPF for. In
the above example, I do nothing more than construct a compound query, after
the example of Philip, consisting of %{ir} ($4.$3.$2.$1), the envelope FROM
($f), a .HELO. text separator, and the parsed HELO string ($s), as known to
sendmail. That information is no more, or less reliable, than when parsed
to, say, a Milter.

Are you sure that this format will lead to unambiguous and valid
DNS lookups?

Perhaps $s should be run through an extra rule, clearing it of illegal chars
(map regex). But I was just outlining the idea. Otherwise, if the separator
is unambiguous enough, yes, we should get valid DNS lookups. :) Philip used
a dot in his example; but it could also be a pipe symbol, or something else.
Whatever works. The local DNS tool would only have to extract the three
parts, and do a regular SPF query.

P.S. Thanks for your unrelenting defence of SPF in NANAE. :)

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡