On Tue, 31 Oct 2006, Scott Kitterman wrote:
OK, power's back on here.
I read Doug's draft again.
http://www.ietf.org/internet-drafts/draft-otis-spf-dos-exploit-01.txt
I agree. I still don't get it.
Some of what he said is right. Some of what he said is stuff you could do,
but is nonsense. Part of what he said is specifically contrary to 4408 (he
talks about implementations that do not have processing limits).
Is the idea that some bad actor can cause a third party to have their DNS
DOSed by sending mail to receivers that check SPF and have them do a bunch of
lookups against the 3rd party?
The idea is that a bad 3rd party [attacker] would create specifically
crafted dns records that redirect or point to victim in various ways,
that 3rd party would then send email to various SPF-checking places
which would look up these records and do lots of lookups to victim's
dns servers, i.e. DoS.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com