----- Original Message -----
From: "wayne" <wayne(_at_)midwestcs(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Sunday, April 18, 2004 1:30 AM
Subject: Re: [spf-discuss] Security Paper on forgery bounce DDoS
1) SES asks if a particular message originated from a designated sender
for
the domain by doing a CBV to the MX for that domain.
Oh, good, right in the first sentence you show why SES is far more
expensive than SPF. So expensive that there are people who consider
CBV to be a DoS attack on the domain name that is being verified.
This has been mentioned many times.
And I don't know why because
B4 SPF - a SMTP receiver with N connections did 0 DNS lookups.
AD SPF - a SMTP receiver with N connections now do 1-2 or more DNS lookups.
So for an ISP hosting lets say 1000 SMTP servers with each SMTP server with
an average of 100 messages per hour, will be getting slammed for forwarded
DNS requests!
So are the ISPs going to scrutinize their customer SMTP operations because
they are hitting their DNS server too much?
Everyone keeps saying this is all negligible. No expense. Well, lets wait
until we get it widely deployed and we'll see if that is still the case.
The primary DNS servers are going to be shocked with all the failed requests
with everyone and their grandma doing redundant SPF domain lookups when the
odds are going to be very high the request will fail. I'm not a DNS
administrative expert, but I still predict a network bandwidth overhead
problem developed. This is one reason why I raised the "idea" in the SMTP
mailing list (and got slapped silly across the head for even mentioning it)
that maybe "if we can get the sender information in the MX request, somehow"
that it can help reduce network issues that will develop. I'm usually
pretty good with my technical predictions. But hey, I could be wrong too and
I'm too old to have regrets even if I am :-).
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com