On Thu, 16 Sep 2004, Meng Weng Wong wrote:
Because SES depends on a callback verification, it would be
trivial to trigger a DDOS by forging mail from an SES domain
to 100,000 receiving MTAs. Under SPF, those receiving MTAs
launch a bunch of DNS queries. Under SES, those receiving
MTAs start a bunch of SMTP sessions. DNS can support
100,000 queries a lot better than SMTP can.
SES currently depends on SPF 'exists' mechanism - so it handles
the DDos efficiently (other than the kludge of creating a special
DNS server for _ses.example.com). The SES group is working on
a UDP protocol to use instead of DNS for the future.
It is true that some receivers (e.g. Verizon) are doing SMTP callbacks
now. Hopefully, the availability of SPF will discourage more sites
from doing that since SMTP callbacks *are* a DDos waiting to happen.
SES + SPF is available now (via 'exists') and provides end to end
authentication regardless of forwarders. Standalone SES is still in
development. The hope is that the availability of the new SES UDP
protocol (or the willingness of the sender to get SMTP callbacks) can be
announced via an ses= modifier in some future version of SPF.
The weak point in deploying exists based SES as it stands now is the
requirement for custom DNS. There is a good Java custom DNS. The twisted
Python framework has a custom DNS, but I am working on a simple standalone
Python custom DNS for use with SES.
Note that the custom DNS does *not* need to serve the entire domain.
A standard DNS server sits in front and delegates only _ses or
other subdomains used for DNS based queries to the custom server.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.