In <20061031173753(_dot_)89F928B70E(_at_)chiclet(_dot_)listbox(_dot_)com> Scott
Kitterman <scott(_at_)kitterman(_dot_)com> writes:
I think this is all much ado about nothing.
First, nothing requires any to do SPF checks. A truly well engineered
integration of SPF would degrade gracefully and bail out on SPF checks if
resource usage get to be to great.
You have *COMPLETELY* missed the point.
This is *NOT* about SPF publisher or SPF checker attacks.
This is about *THIRD PARTY* attacks.
People who neither publish, nor check SPF records.
You can not "gracefully bail out".
*sigh*
While the lack of anybody doing such a DOS attack does not entirely refute
the argument, I do think that if this was easy, we'd have seen it by now.
Uh, no, it is pretty clear that 1) most people don't understand the
issue, and 2) DougO is working hard to make it so people do.
Unfortunately, because it is DougO, most clueful technical people tune
him out, so the only people who will likely pay any real attention to
him are bad buys.
I'm not saying it's not a risk, but that I think it can be managed.
How?
-wayne
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com