spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Wildcard DNS entry

2004-09-15 14:14:47
from [Seth Goodman] [Permanent Link] 
From: Roger Moser
Sent: Wednesday, September 15, 2004 3:48 PM


<...>


This would not work in following case:

example.com.          A       1.2.3.4
example.com.          MX      10 mx.example.com.
example.com.          TXT     "v=spf1 a -all"
mx.example.com.               A       1.2.3.4
www.example.com.      A       1.2.3.4

Example.com must publish also:

www.example.com.      TXT     "v=spf1 -all"



Another way cited by Bruce Gingery on spamtools.abuse.net in
http://archive.iecc.com/article/spamtools/20040904001 is the "dot
repudiation" MX record.  Here is an excerpt from his post that explains this
handy approach.  Perhaps he'll wish to comment.



From: owner-spamtools(_at_)lists(_dot_)abuse(_dot_)net
[mailto:owner-spamtools(_at_)lists(_dot_)abuse(_dot_)net]On Behalf Of Bruce 
Gingery
Sent: Saturday, September 04, 2004 12:38 AM
To: SpamTools
Subject: Re: [spamtools] C/B, was C/R and signatures


<...>


  MX's can be EASILY overloaded, since any domain doing mail MUST accept
  postmaster mail at its designated MX, and the single-dot is  THE
  established shorthand for "no mail", used in SOAs, and usable in MXs,
  guaranteed to never resolve, and foolish to attempt to resolve as it's
  a reserved value to MEAN "no mail" or "no domain".

Example:
        1.2.0.198.in-addr.arpa. PTR mail.example.com.
        2.2.0.198.in-addr.arpa. PTR nomail.example.com.

      253.2.0.198.in-addr.arpa. PTR unpublished.example.net.

      mail.example.com.       MX 10 mail.example.com
                                A  192.0.2.1
                              TXT "v=spf1 a:192.0.2.1 -all"
      nomail.example.com.     MX 0  .
                                A  192.0.2.2


      Unpublished.example.net A  192.0.2.253
              NXDOMAIN return to MX lookup, and either NXDOMAIN or
              missing SPF record, on TXT lookup.

  Anybody feel like calculating the bytes for a dot-MX RR?  It's
  a handful.   Multiplied a few billion times, it's significantly
  less traffic than TXT "v=spf1 -all" which has a different
  meaning, anyways.  If the client's  mail is repudiated, via
  dot-MX. there's no reason to even get to the point that ANYTHING
  is checked via SPF -- not an ESMTP SENDER extension, not the
  MAIL FROM domain, not the EHLO parameter...  The dot-MX
  repudiates the required postmaster address, hence it repudiates
  participation in the internet mail system.



--

Seth Goodman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Wildcard DNS entry, Roger Moser
Next by Date:  Re: SPF-compliant phishing?, David Woodhouse
Previous by Thread:  Wildcard DNS entry, Roger Moser
Next by Thread:  Re: Wildcard DNS entry, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]