In <1082144808(_dot_)2949(_dot_)41(_dot_)camel(_at_)zelda(_dot_)corporate>
"Dustin D. Trammell" <dtrammell(_at_)citadel(_dot_)com> writes:
On Fri, 2004-04-16 at 14:38, wayne wrote:
I think it is unwise to publish such a list of people using SPF until
such time as most SPF implementations do not have Denial of Service
attack problems.
I completely agree that these known issues should be resolved before
making public such a list. Are these being actively discussed on the
SPF-Devel list?
Some have been discussed on SPF-Devel, some have been discussed here
over the last 6 months. Most are at least quasi-documented in the
libspf-alt source code. A few are tested for in the SPF test suite,
but my TODO list has a bunch more that need to be checked for.
Sorry about being kind of vague on this issue, but, well, I don't
think it would be a good idea to say "hey folks, send several emails
claiming to be from foo(_at_)bar(_dot_)invalid will take down any site that
checks for SPF." This is especially true when at least one of the
issues was rased something like 6 months ago and, to the best of my
knowledge, only libspf-alt isn't vulnerable.
Basically, what implementers need to do is look through their code and
try to prove that the execution time, memory requirements and I/O
requests are always bounded. Then, look through their code and see if
a cracker can use the SPF checks to amplify a DoS attack. Oh, and
look through their code and prove that memory overwrites can not
occur, that there are no uninitialized variables, that no information
from previous checks can leak into current checks, etc.
-wayne