spf-discuss
[Top] [All Lists]

Re: accreditation modifier

2004-03-11 22:09:00
On Wed, Mar 10, 2004 at 02:08:34PM -0800, Hallam-Baker, Phillip wrote:
|
| I would very much like to get rid of the macro expansion for
| security reasons.

--Meng Weng Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> wrote:
Actually I would've required the macro expansion for security reasons.

| The point is that the accreditation is only for the domain that
| has been accredited. I do not want the software to react to
| things like:
|
| spammer.com TXT "v=spf1 mx -all accredit=example.com.accreditor.net"
|
| This is hijacking another person's accreditation.

And one way to prevent it is for reputation services to only recognize
certain RHS strings.  That way, with %{d} expansion, spammer.com's
accredit=%{d}.accreditor.net will only expand to
spammer.com.accreditor.net and not example.com.accreditor.net.

    my %recognized_accreditors = ( "%{d}.accreditor.net" => -10,
                                   "%{d}.verisign.com"   => -10,
                                   ...,
                                 );

Macros are perfect for this.

Spammers can try to do accredit=always-return-maxgood.com but because
that's not recognized it doesn't do anything.


I think you are both talking about the same issue two different ways. Phillip's suggestion was "make the current-domain a non-optional part of the process by leaving out the %{d} and assume we should look up %{d}.+$value.". It looks like your suggestion is "make the current-domain non-optional, the domain owner must include %{d} and the checker must check that it is there".

So my question to both of you.

1. If it is not optional, why should we force users to type it?
2. Are there ever situations where you would want to reference another accreditation (like if I am sending from altavista.com can I take advantage of accreditation for altavista.net? or can support.altavista.com ride along with altavista.com?) 3. Are there ways this can be abused? If my domain is oo.com can I steal credibility from yahoo.com with "yah%{d}.lookup.bondedguys.com" If we force %{d} to be there, should we force it to be at the beginning and have a . after?





--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>


<Prev in Thread] Current Thread [Next in Thread>