Andy Bakun wrote:
On Thu, 2005-03-24 at 12:23 -0500, Radu Hociung wrote:
I propose that we add a mask modifier that looks like this:
-m=64/6 m=80.66/16 m=192/3
This is a very interesting idea, Radu. Couldn't you currently short
circuit your entire eBay compiled record with:
domain.com. TXT "v=spf1 ~exists:%{ir1}._spf.%{d} "
" ...restofrecord... ~all"
X._spf.domain.com. A 127.0.0.1
(with 243 of these records, for all values of X in 0..255 except for the
13 you've listed that eBay uses) ?
But ebay's server is doing the compilation, and they might not have an
RBL like map (which is what the exist mech implies).
They'd have to publish:
1._spf.ebay.com A 127.0.0.?
...
254._spf.ebay.com A 127.0.0.?
Also, this exists mech would likely generate an DNS packet across the
net, because the host with %{ir1} is probably not in the cache.
After forgers from all corners of the world send me "ebay" email, my
cache would have 243 junk entries.
Also, I was suggesting that the compiler would generate far more narrow
masks. I listed a few 8-bit ones that I noticed manually. I spent no
effort to make them better.
So if there is a forger at 65.0.0.1 and ebay uses 65.12.12.12, its
exists mechanism cannot return a positive for 65._spf.ebay.com, or it
would shoot down its own outgoing server. In order to not do this, it
would have to publish %{ir2}._spf.{d}, but this is not very flexible, as
it cannot generate an arbitrarily tight blackout pattern like the mask can.
Radu.