spf-discuss
[Top] [All Lists]

Re: solving the CEO problem: proposed new mechanism for conditional logic

2004-01-20 22:44:49
In <20040121000434(_dot_)GQ6875(_at_)dumbo(_dot_)pobox(_dot_)com> Meng Weng 
Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> writes:

  exists:%{i}.%{l}._spf.domain.com

  and in dns, have: *.210.125.24.mengwong._spf.domain.com A 127.0.0.2

But it may be costly to do the lookup each time.  How often are you
going to see user X sending from network Y?  If a spammer decides to
forge your domain, they've gone and DOSed your DNS server.

There are a bunch of things that can mitigate this.

First, these kinds of expensive checks should be placed near the end
of your SPF record.

Secondly, for some domains, adding things like
-exists:%{ir}.cbl.abuseat.org, or -exists:%{ir}.dul.dnsbl.sorbs.net
may be acceptable and would be very effective at cutting out the spam
references.

Third, as Meng suggested, you can use include:%{l}._spf.%{d} and
special case the users that have records, and wildcard everyone else
to a blank TXT record

Fourth, somewhat combining the second and third ideas, you can create
a blacklist via -exists:%{i}.%{l}._spf.{%d} and populate the tree via
wildcards except for those that you want to allow.

Fifth, you can increase the TTL for NXDOMAIN in the subzone that
contains your exists: tree.


So it would be nice if you could hardcode that relationship into the
main SPF record, which will be cached:

  if:%{l}=mengwong:ip4:208.210.125.0/24

Pretty cool, eh?

What do y'all think?  Would anyone actually use that?

My immediate reaction is "FEATURE CREEP!", but after I got over the
revulsion, I guess I don't have any huge problems with it.  I'm not
convinced that it is worth it and I think we should consider what
other, similar things we would want to allow.


-wayne


-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡