spf-discuss
[Top] [All Lists]

Re: SES vs. SPF, was Re: Security Paper on forgery bounce DDoS

2004-04-19 03:07:14
On Sun, 18 Apr 2004, wayne wrote:

Both HTTP and SMTP use TCP/IP, so they both require a three-way
handshake on connection create and a four handshake for closing the
connection.  The HTTP requires one command to be sent (one packet) and
one response packet to be recieved (on packet).  A CBV via SMTP is
going to require exchanges for the HELO, MAIL FROM: and RCPT TO
commands.  The receiving SMTP server will also likely do a bunch of
other DNS checks to filter out the spam sources.

Note that CBV is compatible with SMTP PIPELINING, so an SMTP client can
ask an SMTP server to verify multiple addresses in one command group (i.e.
one packet). However connection setup and teardown is more expensive than
HTTP, and SMTP servers do a lot more client checking than HTTP servers.

As far as CPU costs go, the CBV is going to be more expensive than
SPF.

Even on an SMTP server that is doing extensive content-based
anti-span and anti-virus scanning, there is plenty of spare CPU.

I see no reason not to use both SES and SPF, along with something like
MS's Caller-ID, or Yahoo's DomainKeys, or S/MINE or something to
verify the mail headers. These tools all allow you to solve different
problems, but they don't do a good job of solving every problem.

SES can be used to verify 822 originator addresses as I explained in
another message.

Perhaps there should be an option in SPF for saying "this domain uses
SES to authenticate messages rather than IP addresses".

-- 
Tony Finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/