On 3 Jun 2004, at 23:30, James Craig Burley wrote:
Here's what it comes down to: say that, in a couple of years, you have become substantially dependent upon SPF to "vet" all incoming emails, however you're doing that.
Your system comes under a modest form of dDOS attack that triggers so many SPF lookups that you can no longer process legitimate incoming email, or in some cases distinguish it (non-forged email) from forged email.
Do you disable your incoming email entirely? Or do you disable just your SPF lookups?
SPF allows attackers to force you to make that choice.
No, it really does not. Doing the SPF lookup and calculation is a minor overhead on an SMTP server that already performs about 20 DNS lookups for EVERY email. This was no more true before SPF than it is after SPF.
Matt.
