spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)]

2006-10-30 22:38:56
from [Frank Ellermann] [Permanent Link] 
william(at)elan.net wrote:
 

Provide list of appropriate rebutal points and I'll make
it after the presentation.


For a start see the corresponding thread on the DKIM list:
<http://permalink.gmane.org/gmane.ietf.dkim/6299>

But that's incomplete, and I didn't have the patience to
go through it again.  He deliberately uses vague terms as 
distraction from the fact that 10*10 is _the_ worst case,
with precisely two variations, 10 mx or 9 mx + 1 ptr.

Replace one by something else and you get 9 * 10 + 1, or
replace two to get 8 * 10 + 2, etc.

For the 10 * 10 scenario the attacker obviously gets the
remaining queries (111 - 100 = 11, if you add the SPF RR
it's 112 - 100 = 12).

So far it's clear, the 1 TXT (policy) + 10 MX (attacker)
+ 100 A (NXDOMAIN) answers should be cached by the target
after one mail.  Another point where he's intentionally
vague, talking about a single mail, as if sending more 
could make it worse.  But he somehow uses %l in his case,
I'm unsure how that affects his scenario.

That's where the TTL considerations begin, and I'm unsure
how that works.  The attacker can pick the TTL for the
bogus policy and the bogus MX records.  The attacker also
picks the %l if that means anything.


As much as I hate to actually bother responding to typical
Doug anti-SPF behavior [and he's mostly along contuinuing
to bring it up], I think it might be easier to just have
mail list post (or wiki page) to point people to from 
other forums where he mentions it.


Yes, e.g. I've no clue how he arrives at numbers like his
"factor 2000".  The factor 100 in a rather convoluted
scenario with one policy and ten MX, each with 10 names in
the domain of the victim, is clear.  I don't get how his
scenario arrives at more than 100 plus 11 queries to the
name server(s) of the attacker - in other words an attacker
has to answer quite a lot of queries, and based on that it's
"only" a factor 10.

Frank (a related off list mail arrived, thanks)



-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)], william(at)elan.net
Next by Date:  Re: [spf-discuss] Re: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)], wayne
Previous by Thread:  Re: [spf-discuss] [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)], william(at)elan.net
Next by Thread:  Re: [spf-discuss] Re: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)], wayne
Indexes:  [Date] [Thread] [Top] [All Lists]