On Thu, 17 Mar 2005, at 00:53, Alex van den Bogaerdt wrote:
Todd,
Basically the other side would tell you what IP address is
trying to send mail; you look this up in a database. There's
no need to have a large record and cross customer spoofing
could be made impossible as well (this is optional).
The record could be as simple as:
"v=spf1 exists:%{i}._spf.rr.com ~all"
The DNS server for _spf.rr.com would be a front end for some
database server mapping ip addresses into booleans. Return
the IP address when it is allowed to send mail, return fail
when not. More complex setups are possible; see the proposed
RFC.
The problem with our pursuing this angle right now is the fact
that our AUP does not prohibit servers being run in customer
space at present. We do not require that customers relay their
outbound email, even email from their @foo.rr.com address,
through our SMTP servers. (We also do not require that mail being
relayed through our SMTP servers be from addresses ending in
@foo.rr.com.) This would mean that we'd have to have a
single DNS zone with something like 4.5 or so million records in
it; large zones such as that do not transfer well between
servers. (I don't see wildcarding as an option here; would open
us to a DoS attack on the servers hosting the _spf.rr.com zone,
and would be the equivalent of +all, wouldn't it?)
I think the SPF for rr.com, as currently published, best meets
our needs. Our customers send email from sub-domains of rr.com
(each of which has its own SPF record), and the record as it
stands best communicates the information that we need to
communicate regarding the locations of our Road Runner-managed
SMTP servers.
--
Todd Herr
Senior Security Policy Specialist/Postmaster V: 703.345.2447
Time Warner Cable IP Security M: 571.344.8619
therr(_at_)security(_dot_)rr(_dot_)com AIM:
RRCorpSecTH