On Saturday 09 December 2006 22:57, John Levine wrote: > >So attacker now gets smarter and sends as [EMAIL PROTECTED] > >Is there a policy record there? No. Can I populate every possible > >subdomain there? Not with DNS wildcards, therefore no. Uh-oh. > > We ran into just this problem while defining CSV, the "like wildcards > except that we use prefixes" problem. Having gone around this a lot > of times, I think I can say with confidence that there are a lot of > hacks, some rather clever, but there is no good solution. > > The suggestion that SSP would fail if a domain doesn't have at least > one of MX, A, or AAAA (perhaps with intervening CNAMEs) is intriguing, > but it would have the effect of adding the same condition to RFC 821 > or 2821 since SSP users would thereby decree such mail to be > undeliverable.. I entirely agree that it is unlikely that one will > get legit mail from an address without enough DNS to write back, but > this is severe standards mission creep.
I'm not suggesting SSP fails, just that providing an SSP for non-existing domains is not a requirement. If the domain doesn't exist, then SSP can say nothing either way. It's outside the scope of this protocol. One could regard this, potentially, as a gap in the protection (such as it is, let's not argue that again) provided by SSP, but I think non-existence of a domain is reason enough to be suspicious. That doesn't say one couldn't accept such a message, if you do, you are welcome too, I just don't think we should complicate SSP by attempting to require non-existent domains be protected. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
