Or, as RFC 4408 and RFC 7208 warn against, ESPs don't allow customers to send mail for anything other than their own domains. ESP customers, don't use ESPs that do this.
Scott K On March 12, 2024 4:05:15 PM UTC, Dotzero <[email protected]> wrote: >Neil, SPF essentially deals with hosts and IP address ranges. Your >suggested solution does not address the main problem(s) raised in the >research. > >One approach that potentially addresses the SPF problem of shared hosting >would be for ESPs to use IPv6 address space for sending. Each customer can >then be assigned unique IP addresses. An approach like this causes other >potential operational problems, for example infrequent senders (think of a >monthly newsletter sent at the beginning of each month). The issues >presented by Chuhan Wang have actually been known and understood for quite >sometime even if not well documented for a wider audience. > >I do agree that the title is misleading. > >Michael Hammer > >On Tue, Mar 12, 2024 at 1:38 AM Neil Anuskiewicz <neil= >[email protected]> wrote: > >> The solution to that vulnerability is in part use a subdomain and, when >> possible, narrow the scope of what you permit. Better yet, choose a vendor >> that’s known for tight security. A quick Look at the the security headlines >> will show you some vendor red flags. But the sad state of spf is a >> misleading title at best, >> >> On Mar 4, 2024, at 8:37 PM, Chuhan Wang <[email protected]> >> wrote: >> >> >> >> Hi Everyone, >> I am Chuhan Wang from Tsinghua University, the author of paper *BreakSPF: >> How Shared Infrastructures Magnify SPF Vulnerabilities Across the Internet.* >> >> Thanks Barry for sharing our paper presented at NDSS regarding the >> vulnerabilities of SPF in this work group. I'm glad to see that our >> research on BreakSPF is being discussed in the IETF work group. It's >> encouraging to know that our work is contributing to important >> conversations about email security. >> >> I am willing to discuss any questions or concerns that may arise from our >> paper. Please feel free to reach out to me, and I'll be more than happy to >> discuss our findings and insights with the group. >> Chuhan Wang >> Tsinghua University >> >> Begin forwarded message: >> >> *From: *Barry Leiba <[email protected]> >> *Subject: **[dmarc-ietf] The sad state of SPF: research just presented at >> NDSS* >> *Date: *February 28, 2024 at 17:33:41 CST >> *To: *IETF DMARC WG <[email protected]> >> >> A paper was presented this morning at NDSS about the state of SPF, which >> is worth a read by this group: >> >> >> https://www.ndss-symposium.org/ndss-paper/breakspf-how-shared-infrastructures-magnify-spf-vulnerabilities-across-the-internet/ >> >> Barry >> _______________________________________________ >> dmarc mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dmarc >> >> >> _______________________________________________ >> dmarc mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dmarc >> >> _______________________________________________ >> dmarc mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dmarc >> _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
