spf-discuss
[Top] [All Lists]

Re: Security Paper on forgery bounce DDoS

2004-04-18 23:06:57
--"Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com> wrote:
> 8) SES gives senders who adopt it immediate protection from bounce spam
> while still accepting valid DSN's without anyone else adopting
> anything. SPF+SRS requires wide adoption before achieving a
> significant reduction in bounce spam.

On Sun, 18 Apr 2004, wayne wrote:
True, and this is the thing I like about SES.  When I get time, I may
well use David Woodhouse's Exim patches to implement SES on my
system.

--"Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com> wrote:
I am thinking about doing CBV only when there is no SPF record for the
claimed sending domain.  Does this sound like a reasonable policy?
It would encourage domains suffering from lots of CBV probes (with or
without SES) to publish SPF records.  I already do SES to prevent
bounce spam.


I would agree with you (and wayne) that SES is great for reducing bounce spam. And, if you're going to do CBV anyway, might as well skip it on those that you can verify with SPF. I think a "best case" scenario would be to use both SPF and SES. SES reduces incoming bounce spam now, SPF pays off more slowly, but is effective against other types of forgery that don't involve bounces.

I'm a bit late in commenting, but the following applies back to Seth's original comment about SES+CBV...

I personally don't like the idea of SES+CBV because I don't like CBV in general. Just a personal preference.

Also, without something published in DNS that says "accept only signed return paths" there is nothing to really stop others from spoofing your domain in their spam... there are still dozens of valid mailing addresses that accept mail and must therefore accept CBV requests... e.g. even if <gconnor(_at_)nekodojo(_dot_)org> doesn't accept direct mail (which would play heck with my normal replies, not to mention making me less reachable all around) then at the very least <postmaster(_at_)nekodojo(_dot_)org> must accept mail, so SES+CBV by itself would not stop forged messages claiming to be from a valid (but not signed) return address. And, if I'm going to publish something in DNS, I would rather just publish an SPF record.

For that reason, even if I get around my personal distaste for CBV, and even if I assume that CBV is "roughly equal" to SPF-receive (sender resources, receiver resources, ease of use etc, also up for debate), I still wouldn't stipulate that SES+CBV is an adequate replacement for SPF.

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>