Your system comes under a modest form of dDOS attack that triggers so many SPF lookups that you can no longer process legitimate incoming email, or in some cases distinguish it (non-forged email) from forged email.
Do you disable your incoming email entirely? Or do you disable just your SPF lookups?
SPF allows attackers to force you to make that choice.
I just don't know if I buy this. Yes, a system is susceptible to the kind of attack you are describing. But I don't see it practical on a large level. How do you suppose these spammers will enlist enough machines (and remain anonymous for long enough) to fire off an attack large enough to convince enough mail ops to abandon SPF just to accept the SPAM? And then get their spam out? I know there are people out there that don't know to have much else better to do. And I know they can find a way to get their virus or worm into enough unknowing or unsuspecting machines to enlist a large number of mailers. But can they simply walk in and take over indefinitely?
But even during the worst worm/virus episode/storm that was causing my mail servers to cook and boil over while trying to filter everything, I didn't just say "well, I'll just disable that virus and spam scanning and let it all go through". No, I cut down the number of messages it would accept and process and heck with the rest of it until people patch their darn machines. This caused a delay of several hours for some messages, and sure a couple of people complained. But nobody left. They just lived through it for a couple of days. I am sure they heard mention of the same stories from other people.
I still say that someone trying to send out spam would be better off just spending the ten dollars and set up SPF in their dns. If the point is to send out spam. What you are describing sounds more like they just want to break things. They would feel better using that energy for something productive.
Waitman
