Re: def_whitelist_auth

Mon, 24 Sep 2018 04:50:46 -0700 

On Mon, Sep 24, 2018 at 06:15:12AM -0500, Dave Jones wrote:
> On 9/23/18 1:42 PM, Henrik Krohns wrote:
> >On Sun, Sep 23, 2018 at 12:25:36PM -0500, Dave Jones wrote:
> >>
> >>Consider the difference between these two SPF records:
> >># dig email.chase.com txt +short
> >>"v=spf1 include:epsl1.com -all"
> >># dig chase.com txt +short
> >>"v=spf1 a:spf.jpmchase.com ip4:207.162.228.0/24 ip4:207.162.229.0/24
> >>ip4:207.162.225.0/24 ip4:196.37.232.50 ip4:159.53.46.0/24 ip4:159.53.36.0/24
> >>ip4:159.53.110.0/24 ip4:159.53.78.0/24 include:tpo.chase.com -all"
> >>
> >>Do this make sense that *@*.chase.com is safer to trust than *@chase.com?
> >
> >Honestly I have no idea.  As I don't have any decend mail feed these days,
> >doesn't seem like I can help much.  Some local domains I checked, subdomain
> >or not, point to many different companies and mailers.  To judge them worthy
> >globally whitelisting does require data, experience and contacts, so I'm
> >happy to leave this stuff to you and others. :-)
> >
> >-hk
> >
> 
> I was only referring to the SPF record difference since you pointed out how
> unsafe it would be to trust some SPF records with includes that expand out
> to a large number of IPs.
> 
> The two SPF records above are VERY different which supports the logic I
> listed out.

I don't understand, how are they different?


$ dig txt epsl1.com +short
"spf2.0/pra ip4:142.54.244.0/23 ip4:142.54.247.0/24 ip4:159.127.162.0/23 
ip4:159.127.178.0/24 ip4:173.203.61.92/32 include:bfi0.com -all"
"v=spf1 ip4:142.54.244.0/23 ip4:142.54.247.0/24 ip4:159.127.162.0/23 
ip4:159.127.178.0/24 ip4:173.203.61.92/32 include:bfi0.com -all"
$ dig txt bfi0.com +short
"spf2.0/pra ip4:93.191.146.0/23 ip4:206.132.3.0/24 ip4:206.132.1.0/24 
ip4:216.35.62.0/25 ip4:216.33.63.0/24 ip4:209.67.13.128/25 ip4:208.70.142.0/23 
ip4:142.54.200.0/23 ip4:142.54.246.0/24 -all"
"v=spf1 ip4:93.191.146.0/23 ip4:206.132.3.0/24 ip4:206.132.1.0/24 
ip4:216.35.62.0/25 ip4:216.33.63.0/24 ip4:209.67.13.128/25 ip4:208.70.142.0/23 
ip4:142.54.200.0/23 ip4:142.54.246.0/24 -all"


$ dig txt tpo.chase.com +short
"v=spf1 ip4:68.233.76.14/32 ip4:63.150.74.35/32 ip4:198.64.159.0/24 
ip4:198.104.137.206/32 ip4:161.58.88.0/24 -all"


They BOTH expand to so much stuff, that I have no idea how a common
committer like me can conclude if they are "safe" and not common sources of
hacked accounts and such.  :-)

-hk

Reply via email to