>On 3 Jun 2004, at 23:30, James Craig Burley wrote: > >> Here's what it comes down to: say that, in a couple of years, you have >> become substantially dependent upon SPF to "vet" all incoming emails, >> however you're doing that. >> >> Your system comes under a modest form of dDOS attack that triggers so >> many SPF lookups that you can no longer process legitimate incoming >> email, or in some cases distinguish it (non-forged email) from forged >> email. >> >> Do you disable your incoming email entirely? Or do you disable just >> your SPF lookups? >> >> SPF allows attackers to force you to make that choice. > >No, it really does not. Doing the SPF lookup and calculation is a minor >overhead on an SMTP server that already performs about 20 DNS lookups >for EVERY email. This was no more true before SPF than it is after SPF.
Please, pay careful attention to these questions and answer them: How many of those "20 DNS lookups for EVERY email" (WTF!!??) are done on arbitrary *names* provided by the injecting SMTP *client*? Which of them? What sort of data is looked up? For what purpose is it used? -- James Craig Burley Software Craftsperson <http://www.jcb-sc.com>
