On Tue, 31 Oct 2006 11:48:35 -0600 wayne <wayne(_at_)schlitt(_dot_)net> wrote:
In <20061031173753(_dot_)89F928B70E(_at_)chiclet(_dot_)listbox(_dot_)com>
Scott Kitterman
<scott(_at_)kitterman(_dot_)com> writes:
I think this is all much ado about nothing.
First, nothing requires any to do SPF checks. A truly well engineered
integration of SPF would degrade gracefully and bail out on SPF checks
if
resource usage get to be to great.
You have *COMPLETELY* missed the point.
This is *NOT* about SPF publisher or SPF checker attacks.
This is about *THIRD PARTY* attacks.
People who neither publish, nor check SPF records.
You can not "gracefully bail out".
*sigh*
While the lack of anybody doing such a DOS attack does not entirely
refute
the argument, I do think that if this was easy, we'd have seen it by now.
Uh, no, it is pretty clear that 1) most people don't understand the
issue, and 2) DougO is working hard to make it so people do.
Unfortunately, because it is DougO, most clueful technical people tune
him out, so the only people who will likely pay any real attention to
him are bad buys.
OK. I'm in the midst of a power outage right now and doing e-mail on my
phone. Doug's text is hard enough to parse on a full size screen. I'm not
even going to try on my phone. I'll go look at it again after the power
comes back.
I guess I was defending against the wrong attack as what I described was,
IIRC, Radu's threat. I'll accept that Doug's is different and go look
again.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com