I have an idea for an adjunct protocol to SPF, which I'll call "Closed
Loop SPF".
Like SPF, CLSPF attempts to answer the question of "is it valid for mail
addressed from domain X to be sent by IP address Y?". However, instead of
storing a list of IPs at the domain, CLSPF stores a list of domains at the
IP (that is, in in-addr.arpa).
So if the SPF for example.org is:
example.org IN SPF "v=spf1 a:123.45.67.89 -all"
Then the CLSPF for [123.45.67.89] might be:
89.67.45.123.in-addr.arpa IN SPF "v=clspf d:example.org -all"
(there's no spec at the moment, but I think how it works should be
obvious.)
This is much weaker on its own than regular SPF, since a spammer can
forge any domain he pleases under CLSPF, so long as he controls rDNS on
the IPs he's using. But used together with regular SPF to form a closed
loop (hence the name), it can cause some pain to botnets.
The "killer app" for CLSPF will be an improved form of greylisting.
The original greylisting specification, which I'll call "triplet
greylisting", has problems dealing with ham e-mails from sites that have
multiple outgoing IP addresses.
One answer to this is to instead use "duplet greylisting" -- ignoring the
IP address and greylisting only on the sender-address/recipient-address
pair. This avoids some delays for ham e-mails, but is much weaker in
blocking botnet spam.
One trick that would probably work well at the moment is to apply duplet
greylisting to SPF-pass mail, and apply triplet greylisting to other mail.
But on reflection, this is only security-by-obscurity on top of duplet
greylisting. The problem is that a spammer can then completely avoid
triplet greylisting by using throwaway sender domains with "+all" SPF
records.
Here CLSPF comes to the rescue. By configuring a mailserver to use
duplet greylisting only when both CLSPF and SPF return pass, botnets are
unavoidably subject to triplet greylisting. Meanwhile, domains that use
arrays of outgoing mailservers can improve their deliverablity by
providing CLSPF.
CLSPF does have a cost, in that if a CLSPF-listed mailserver is
compromised, it is much easier for the cracker to guess at a sender e-mail
address that will be believed. It might make sense to use CLSPF only when
there actually are multiple outgoing IPs.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com