spf-discuss
[Top] [All Lists]

Re: short circuiting evaluation

2005-03-24 14:14:32


Andy Bakun wrote:
On Thu, 2005-03-24 at 12:23 -0500, Radu Hociung wrote:


I propose that we add a mask modifier that looks like this:

-m=64/6 m=80.66/16 m=192/3


This is a very interesting idea, Radu.  Couldn't you currently short
circuit your entire eBay compiled record with:

        domain.com.        TXT "v=spf1 ~exists:%{ir1}._spf.%{d} "
                               " ...restofrecord... ~all"
X._spf.domain.com. A 127.0.0.1


(with 243 of these records, for all values of X in 0..255 except for the
13 you've listed that eBay uses) ?

But ebay's server is doing the compilation, and they might not have an RBL like map (which is what the exist mech implies).

They'd have to publish:
1._spf.ebay.com A 127.0.0.?
...
254._spf.ebay.com A 127.0.0.?


Also, this exists mech would likely generate an DNS packet across the net, because the host with %{ir1} is probably not in the cache.

After forgers from all corners of the world send me "ebay" email, my cache would have 243 junk entries.

Also, I was suggesting that the compiler would generate far more narrow masks. I listed a few 8-bit ones that I noticed manually. I spent no effort to make them better.

So if there is a forger at 65.0.0.1 and ebay uses 65.12.12.12, its exists mechanism cannot return a positive for 65._spf.ebay.com, or it would shoot down its own outgoing server. In order to not do this, it would have to publish %{ir2}._spf.{d}, but this is not very flexible, as it cannot generate an arbitrarily tight blackout pattern like the mask can.

Radu.


<Prev in Thread] Current Thread [Next in Thread>