IETF Logo Mail Archive

Re: Conclusions of Last Call for draft-ietf-spfbis-4408bis

Patrik Fältström <paf@frobbit.se> Tue, 10 September 2013 12:32 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 308DC21E808F; Tue, 10 Sep 2013 05:32:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ftbjvS39ocRE; Tue, 10 Sep 2013 05:32:27 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) by ietfa.amsl.com (Postfix) with ESMTP id 0FF7221E8053; Tue, 10 Sep 2013 05:32:24 -0700 (PDT)
Received: from [10.0.0.23] (unknown [77.241.239.225]) by mail.frobbit.se (Postfix) with ESMTPSA id 8753623F30; Tue, 10 Sep 2013 14:32:22 +0200 (CEST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_D2D09CEC-BDA9-497F-9533-829AE0ED0EB6"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Subject: Re: Conclusions of Last Call for draft-ietf-spfbis-4408bis
From: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <CAL0qLwbx7eXvid+EZr+JJ-FpHZkTDhvJanOk-4EEntfr8zjUjg@mail.gmail.com>
Date: Tue, 10 Sep 2013 14:32:21 +0200
Message-Id: <0ECBFED5-CF62-4EC7-BE6D-DD65A8778D0A@frobbit.se>
References: <522B2AC4.4090006@qti.qualcomm.com> <2C6B0D9B-7E1E-4CC3-AA41-935D65E79A3F@frobbit.se> <CAL0qLwbx7eXvid+EZr+JJ-FpHZkTDhvJanOk-4EEntfr8zjUjg@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: "spfbis@ietf.org" <spfbis@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, IETF-Discussion list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 12:32:29 -0000

On 10 sep 2013, at 13:39, "Murray S. Kucherawy" <superuser@gmail.com> wrote:

> On Tue, Sep 10, 2013 at 4:04 AM, Patrik Fältström <paf@frobbit.se> wrote:
> What we did look at was first of all every query for an MX resource record. Then we look at +/-1 second from the timestamp of that MX query for TXT and/or SPF record for the same owner. We draw the conclusion that if there is a query for an MX record, and then either TXT or SPF (or both) within the approximately same timespan, then they are related queries.
> 
> I'm not sure that's a valid conclusion.  Since MX is needed only for a sending system, a receiving system doing an SPF check of either type has no reason to query for MX.  The exception to this might be a heuristic check to see if the domain in the MAIL FROM has MX or A published such that a reply appears to be possible, but I wouldn't expect a strong correlation in your data.

True.

View my explanation just like it was, how we did our calculations. Conclusions can anyone draw from the data.

The problem is that if one look at just queries to a root server like this, there is lots of what I would call "junk". When looking at TLDs, we saw about 162 million different TLDs each 24h in the QNAME. We saw this time also for example queries for SPF and other RR Types where the QNAME was an IPv4 address (for example "10.2.3.4.").

So, we found _some_ algorithm was needed instead of "just" counting queries, and we did count the way I just explained.

   Patrik

v2.23.0 | Report a Bug | By Email