spf-discuss
[Top] [All Lists]

Re: Security Paper on forgery bounce DDoS

2004-04-19 09:00:28
On Sun, 18 Apr 2004, Theo Schlossnagle wrote:

On Apr 18, 2004, at 9:22 AM, Stuart D. Gathman wrote:
I am thinking about doing CBV only when there is no SPF record for the
claimed sending domain.  Does this sound like a reasonable policy?
It would encourage domains suffering from lots of CBV probes (with or
without SES) to publish SPF records.  I already do SES to prevent
bounce spam.

That doesn't sound very nice.  You are going to punish people (due to 
fraud) for not implementing something that isn't an official standard.

Yes.  You caught my drift.  Speaking purely selfishly as a mail receiver,
I want to get rid of all the forged mail.  For domains that don't publish
SPF or some other scheme (reverse MX, etc), CBV is pretty much the only
tool I'm left with.  True, my probes will afflict innocent parties. 
However, if I don't probe, the bounced mail will afflict the same
innocent parties.  The problem is the forgers, not me.  I quarrantine,
review, and discard mail based on content filtering too - but there is a limit
to how much I can reasonably review in my quarantine box.

Perhaps I should wait until the RFC is official.

I should point out that personally responding to a few bounced forgeries
a day is a great SPF evangelism tool.  About half of the postmasters I
contact to explain how they could have rejected forged mail claiming to be from
me by checking my SPF records are enthusiastic about the concept, and
generally very happy about the simplicity of publishing their own records.
For small domains of individuals and small businesses, they don't even
have to mess with SRS - just whitelist potential forwarders.

BTW, it looks like the original RMX proposal has been subsumed into SPF.
The new RMX++ proposal seems to be a scheme for dynamically certifying mail
via a web service - too expensive in my opinion.

Are there any other sender policy systems other than SPF I could check for?
The big thing going for SPF is working code.

-- 
                        Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
      Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
      "Very few of our customers are going to have a pure Unix
      or pure Windows environment." - Dennis Oldroyd, Microsoft Corporation