spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Does an SPF record need to be an IP?

2005-11-04 14:18:12
In 
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0511041605460(_dot_)7588-100000(_at_)bmsred(_dot_)bmsi(_dot_)com>
 "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com> writes:

On Fri, 4 Nov 2005, wayne wrote:

In terms of DNS lookups, it is the same as MX.  [...]

I strongly disagree.  In both theory and practice, PTR is much worse
than MX.

You snipped out the part where I agree with you.  My point was
that for *legitimate* traffic, where you control the rDNS records,
and they come from a small number of IPs, it is no worse than MX.  It is when
evaluating a forged connection that it is expensive.

Uh, you snipped out the part where I explained that even for
legitimate email, the SPF ptr mechanism is worse.  


This is true even for legitimate MTAs.  For spam sources, the rDNS
tree is almost useless.

Yes, we agree that PTR is vulnerable to DOS attacks.

I don't think the normal spam volume can be consider a DoS attack.
The intent of the spam is not to deny service from your MTA.  Far too
much spam comes from IP addresses that have broken rDNS entries.

The SPF ptr mechanism is expensive and I can't recommend it unless you
*really* need it.

-wayne

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com