At 01:53 AM 8/27/2004 +0300, Andriy G. Tereshchenko wrote:
Roger Moser:
Of course if you have "exists:%{l}.spf.example.com" in your
SPF record, then
(1) you must prevent that everyone can read the names of the
subdomains from your name server (that means you must disable
zone transfers) and
(2) you must be prepared for a dictionary attack.
Otherwise don't use "exists:%{l}.spf.example.com".
What do you mean by dictionary attack for "exists:%{l}.spf.example.com" ??
Are willing to allow some users to send emails from any IP ?
This is non-sense - you must use "exists:" to configure SPF on per-user
basis, not bypass.
If you wish to allow select users to bypass SPF - impose some limit on this.
Create dynamic %{ir}.%{l}.spf.example.com and track IPs used while sending
emails from that user.
Block IPs blacklisted in some reputation services, block high volume queries
(but allow user to white-list IPs or ranges in some
web-interface).
I agree with you that bypassing SPF using "exists:%{l}.spf.example.com" is
clearly a misconfiguration !
http://spf.pobox.com/spf-draft-200406.txt
9.5 Per-user exemptions The "exists" mechanism can be used to exempt certain
users from the SPF requirements that apply to the rest of the domain.