On Tue, 20 Jul 2004, Roger Moser wrote:
** The 'ptr' mechanism matches all IP addresses pointed to by all the A
records in the domain's zone. **
What Nico et al are trying to point out is that PTR can *potentially*
match any A record of any subdomain of the given domain. If you use
PTR, and a spammer can control any of the IPs mentioned by any A record in your
domain or subdomains, then he can forge email from you.
Nico et al feel that this is counterintuitive and that the SPF ptr
mechanism matches more that what a typical sysadmin might expect.
I find SPF ptr perfectly intuitive. "ptr:example.com" to me says
match any machine with a valid PTR whose name ends in example.com.
Of course, that would be ANY machine with a valid PTR whose name
ends in example.com - not just the ones you thought of when you
installed some PTR records.
This is simply not a problem for us small timers with a /29 netblock.
However, I can see that large corporations might be worried that
among the vast numbers of A records under their domain, there might be
some old ones still pointing to obsolete IP addresses from an old ISP
that never got deleted. If a spammer now controls the IP for one of
those forgotten A records, he can now forge email that will pass SPF.
There could also be a short lived problem with changing ISPs and
old A records hanging around in DNS caches. If a spammer could get
control of one of those old addresses soon enough, he could use the
window of opportunity to forge some emails that pass SPF.
A large corp should instead use the exists mechanism - which for this
application does not need a dynamic DNS server, just a subdomain
set aside for listing authorized mail sources.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.