Re: [spf-discuss] PermError: Too many DNS lookups at Microsoft.com

At 04:47 PM 5/9/2006 -0400, you wrote:

> On Sat, 6 May 2006, David MacQuigg wrote:
>
> > One has to wonder why domains like hotmail.com authorize so many addresses
> > to send using their name.  I would think a better strategy, one which 
> would
> > exclude the zombies and earn them a better reputation, would be to
>
> Those 98K hotmail IPs are actually assigned to their massively parallel and
> redundant server networks.  You could argue that they don't really need
> that many public IPs, but I don't believe they are authorizing potential
> zombies (except insofar as their servers run Windoze ... :-) )
That was 981K authorized sending addresses for hotmail.com!!  A more 
sensible setup for a large global sender would be to pick maybe a dozen 
well-connected locations, widely distributed over the world, and authorize 
4 or 8 addresses at each location.  I think rr.com has some 3 dozen 
outgoing servers they actually use at any one time.  The record would than 
have one IP block for each location.
I would be surprised if all those 981K servers were well-managed and 
spam-free.  This gets back to the question of what the hell they are 
intending to do with these large, all-inclusive records.  My guess is it is 
some kind of corporate boast - look how big we are!  I think if they were 
seriously using it as an authentication record, they would have a lot fewer 
addresses.
I fixed my record compiler to handle more lookups.  Here is the 
microsoft.com record:
microsoft.com TXT  v=spf1  compiles to 61 addresses in 61 blocks -->
['131.107.1.101', '131.107.1.102', '131.107.1.18', '131.107.1.19', 
'131.107.1.20', '131.107.1.6', '131.107.1.7', '131.107.1.8', '131.107.1.9', 
'131.107.1.99', '131.107.65.131', '131.107.65.22', '205.248.102.77', 
'205.248.102.78', '205.248.102.79', '207.46.132.151', '207.46.132.152', 
'207.46.132.153', '207.46.132.154', '207.46.143.238', '207.46.248.40', 
'207.46.248.41', '207.46.248.42', '207.46.248.43', '207.46.248.64', 
'207.46.248.65', '207.46.248.66', '207.46.248.67', '207.46.248.68', 
'207.46.248.69', '207.46.248.70', '207.46.248.71', '207.46.50.72', 
'207.46.50.82', '207.68.176.10', '207.68.176.100', '207.68.176.101', 
'207.68.176.102', '207.68.176.103', '207.68.176.104', '207.68.176.105', 
'207.68.176.106', '207.68.176.107', '207.68.176.108', '207.68.176.109', 
'207.68.176.110', '207.68.176.111', '207.68.176.112', '207.68.176.113', 
'207.68.176.114', '207.68.176.115', '207.68.176.59', '207.68.176.60', 
'207.68.176.7', '207.68.176.8', '207.68.176.9', '209.11.164.116', 
'213.199.128.139', '213.199.128.145', '217.77.141.52', '217.77.141.59']
The interesting thing about this record is that there are so many isolated 
addresses in small clusters.  They could easily reduce this to a few blocks 
that would fit in one DNS record.
-- Dave


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, 
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com