From: Meng Weng Wong
Sent: Friday, April 16, 2004 5:49 PM
On Fri, Apr 16, 2004 at 03:55:37PM -0500, Dustin D. Trammell wrote:
| This is fairly common knowledge to most of us because the heart of the
| issue is what SPF intends to remedy, but I thought I'd send it along in
| case anyone wanted to take a look. This paper on using forgery bounces
| as a DDoS was posted to one of the security lists I'm on a week or so
| ago.
|
| http://www.techzoom.net/paper-mailbomb.asp
thanks for posting that paper.
I wonder if they've up to speed on our work.
Next I expect to see researchers announce that water is wet, beer makes
people drunk, and soldiers get killed in battle.
Actually, the implications are not so boring as they first seem. SPF cannot
do a creditable job of stopping this type of traffic (forged bounce spam)
until the SPF adoption rate is fairly high. This may or may not happen
within a reasonable time frame, despite everyone's best efforts. On the
other hand, any one of the Signed Envelope Sender approaches that have been
mentioned on this list and SRS-discuss will stop all of it today, without
anyone else adopting anything. They also deliver all the other
functionality that SPF+SRS does.
--
Seth Goodman