On Apr 9, 2014, at 9:13 PM, Scott Kitterman <[email protected]> wrote:
> On Wednesday, April 09, 2014 15:59:27 Douglas Otis wrote:
>> On Apr 9, 2014, at 3:03 PM, Al Iverson <[email protected]> wrote:
>>> On Wed, Apr 9, 2014 at 3:57 PM, Barney Wolff <[email protected]> wrote:
>>>> Since I brought up SRS, may I point out that the SRS conversion
>>>> includes a timestamp? So list operators need not, in fact, volunteer
>>>> in perpetuity. And yes, that means that I can't click reply a year
>>>> later and expect it to work. I can live with that.
>>>>
>>>> What's the alternative - being unable to reply at all?
>>>
>>> The alternative that I have personally implemented simply moves the
>>> poster's email address to the reply-to header.
>>>
>>> I've explained what I've done here:
>>> http://www.spamresource.com/2014/04/run-email-discussion-list-heres-how-to
>>> .html
>> Another approach that could have been used if IESG had not thwarted
>> deployment by demanding unique DKIM signatures in conjunction with
>> third-party signature exceptions. http://tools.ietf.org/html/rfc6541
>>
>> The industry could have constructed a hash list of domains offering well
>> administered third-party services. Instead, there is a growing list of
>> poorly considered DMARC policy assertions causing a growing placement of
>> mail in to spam folders.
>>
>> The IESG had no problem with SPF's potentially hundreds of DNS queries that
>> might be made against otherwise uninvolved domains, in contrast to a single
>> a ATPS query made to the authoritative domain. :^(
>
> Doug,
>
> I know you have a hard time restraining yourself from making up stuff about
> SPF. While I've no opinion about ATPS, hundreds of DNS queries due to SPF is
> nonsense.
Dear Scott,
Sorry for this off-topic comment.
Even 10 would be bad, but it can be much worse.
Is this still a valid SPF record?
TXT "v=spf1
mx:0.%{l}.%{d} mx:1.%{l}.%{d} mx:2.%{l}.%{d}
mx:3.%{l}.%{d} mx:4.%{l}.%{d} mx:5.%{l}.%{d}
mx:6.%{l}.%{d} mx:7.%{l}.%{d} mx:8.%{l}.%{d}
mx:9.%{l}.%{d} ?all"
This record makes use of normally varying email-address local-parts as a means
to ensure the directed DNS queries are not answered from cache.
MX records can reference wildcarded resources, such as those used by content
delivery networks. In that case, SPF can represent an extremely expensive
threat still defeating the change to SPF that limited the number of NX domains.
In addition, it is still common to find recommendations for two different
fields being checked. (10x10) x 2 is still 200 directed DNS transactions aimed
at a domain unrelated to the domain being verified. An attack vector lacking
evidence of the perpetrating domain being found in anyones logs.
https://tools.ietf.org/html/draft-otis-spf-dos-exploit-01
Regards,
Douglas Otis_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
