-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Lars
Dybdahl
Sent: Thursday, April 15, 2004 3:00 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: SV: [spf-discuss] Publishing of SPF Records
I assume that you would like, that the SPF specification is
extended with:
"If DNS lookup fails, try to look up http://domainname/spf.txt";
yes, something like that
In many cases, this will give a timeout, because
http://domainname/ doesn't exist.
OK, but with timeouts we can life. You can have even DNS timeouts.
SPF implementation have to deal anyway with timeouts. Otherwise
you could DOS easily a SPF enabled MTA.
If your mailserver receives
a million smtp requests a day, you would have to make a
million http lookups a day, which means that you might have
to buy more servers to handle the load.
Even that is a matter on how you implement it. DNS answers are cached
according to their TTL. But what stops you from caching http answers?
Also, you would get
many complaints from people that you are hitting their
webserver with a lot of requests, because somebody else is
abusing their e-mail address.
Huch, what about DNS Server? Are u not hitting them? There are even some
old implementations in the wild which u might bring down with a flood of
requests.....
Basically you would get
complaints because you implemented SPF. A denial of service
attack on a webserver would also get easier: Write a virus
where the sender address is always using the same domain
name... This would make mailservers all over the world trash
the webserver.
Same Problem could be valid for DNS as said above. Just web logs
are closer monitored usually by the admins than DNS logs.....
A lot of people that I know, responsible for big e-mail
systems, would not put SPF filtering into their systems, if
it contained http lookups on people's webservers.
http lookups would be optional. So every mail operator could choose himself
to enable them or not......
This means
that putting http into SPF slows down adoption, and we
wouldn't like that, would we?
No, maybe it even would speed it up if EVERYBODY would be able to publish spf
records on
every lowcost domain....
So basically, http is not going into SPF because we don't
want it there for a billion reasons.
Who is we? Are u speaking for everyone here? Why dont we wait for other people
to give their personal comments?
Lars.
-----Oprindelig meddelelse-----
Fra: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com på vegne af Stefan
Engelbert
Sendt: to 15-04-2004 14:25
Til: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Emne: RE: [spf-discuss] Publishing of SPF Records
But why would it kill SPF? If I own domain abc.com I will be
the only one who can create http://abc.com/spf.txt so how can
somebody else provide SPF functionallity to my abc.com domain?
-------
Sender Policy Framework: http://spf.pobox.com/ Archives at
http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/spf-draft-200403.txt
Wiki:
http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily
deactivate your subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
This mail was checked for malicious code and viruses
by GFI MailSecurity. GFI MailSecurity provides email content
checking, exploit detection, threats analysis and anti-virus for
Exchange & SMTP servers. Viruses, Trojans, dangerous
attachments and offensive content are removed automatically.
Key features include: multiple virus engines; email content and
attachment checking; an exploit shield; an HTML threats engine;
a Trojan & Executable Scanner; and more.
In addition to GFI MailSecurity, GFI also produces the
GFI MailEssentials anti-spam software, the GFI FAXmaker
fax server & GFI LANguard network security product ranges.
For more information on our products, please visit
http://www.gfi.com. This disclaimer was sent by
GFI MailEssentials for Exchange/SMTP.