On Sun, 2004-03-28 at 23:56, Greg Connor wrote:
--Roger Moser <Roger(_dot_)Moser(_at_)pamho(_dot_)net> wrote:
In section 3 of the specifications it says:
Error: indicates an error during lookup; an MTA MAY reject the
message using a transient failure code, such as 450.
(snip)
HOWEVER, on thinking about this a bit more, if we are serious about
stopping phishing/joe-job email, I can see some value in setting this to
SHOULD. If there are any popular SPF clients that let the crap on through
when the nameservers are all down, then we may be unwittingly encouraging
people to DDOS/otherwise attack the name servers so they can get their
phishing attempt on through. If an attack brings down the nameservers, and
that just delays mail coming from that domain, that provides less incentive
for spammer/scammer to attack nameservers.
I agree with this as well. In addition, if some SPF implementations
allow messages through during DNS failures while others don't, we may
not only be encouraging attacks on the DNS servers, but targeting of the
domains who's server uses a particular SPF implementation that behaves
in a certain manner.
--
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.