Re: [spf-discuss] PermError: Too many DNS lookups at Microsoft.com
2006-05-09 18:24:03
At 04:47 PM 5/9/2006 -0400, you wrote:
On Sat, 6 May 2006, David MacQuigg wrote:
> One has to wonder why domains like hotmail.com authorize so many addresses
> to send using their name. I would think a better strategy, one which
would
> exclude the zombies and earn them a better reputation, would be to
Those 98K hotmail IPs are actually assigned to their massively parallel and
redundant server networks. You could argue that they don't really need
that many public IPs, but I don't believe they are authorizing potential
zombies (except insofar as their servers run Windoze ... :-) )
That was 981K authorized sending addresses for hotmail.com!! A more
sensible setup for a large global sender would be to pick maybe a dozen
well-connected locations, widely distributed over the world, and authorize
4 or 8 addresses at each location. I think rr.com has some 3 dozen
outgoing servers they actually use at any one time. The record would than
have one IP block for each location.
I would be surprised if all those 981K servers were well-managed and
spam-free. This gets back to the question of what the hell they are
intending to do with these large, all-inclusive records. My guess is it is
some kind of corporate boast - look how big we are! I think if they were
seriously using it as an authentication record, they would have a lot fewer
addresses.
I fixed my record compiler to handle more lookups. Here is the
microsoft.com record:
microsoft.com TXT v=spf1 compiles to 61 addresses in 61 blocks -->
['131.107.1.101', '131.107.1.102', '131.107.1.18', '131.107.1.19',
'131.107.1.20', '131.107.1.6', '131.107.1.7', '131.107.1.8', '131.107.1.9',
'131.107.1.99', '131.107.65.131', '131.107.65.22', '205.248.102.77',
'205.248.102.78', '205.248.102.79', '207.46.132.151', '207.46.132.152',
'207.46.132.153', '207.46.132.154', '207.46.143.238', '207.46.248.40',
'207.46.248.41', '207.46.248.42', '207.46.248.43', '207.46.248.64',
'207.46.248.65', '207.46.248.66', '207.46.248.67', '207.46.248.68',
'207.46.248.69', '207.46.248.70', '207.46.248.71', '207.46.50.72',
'207.46.50.82', '207.68.176.10', '207.68.176.100', '207.68.176.101',
'207.68.176.102', '207.68.176.103', '207.68.176.104', '207.68.176.105',
'207.68.176.106', '207.68.176.107', '207.68.176.108', '207.68.176.109',
'207.68.176.110', '207.68.176.111', '207.68.176.112', '207.68.176.113',
'207.68.176.114', '207.68.176.115', '207.68.176.59', '207.68.176.60',
'207.68.176.7', '207.68.176.8', '207.68.176.9', '209.11.164.116',
'213.199.128.139', '213.199.128.145', '217.77.141.52', '217.77.141.59']
The interesting thing about this record is that there are so many isolated
addresses in small clusters. They could easily reduce this to a few blocks
that would fit in one DNS record.
-- Dave
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
|
|