IETF Logo Mail Archive

Re: [spfbis] Updated charter - final review

Scott Kitterman <spf2@kitterman.com> Thu, 02 February 2012 01:54 UTC

Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87BA011E80F8 for <spfbis@ietfa.amsl.com>; Wed, 1 Feb 2012 17:54:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.468
X-Spam-Level:
X-Spam-Status: No, score=-2.468 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HqPavMc1sQm9 for <spfbis@ietfa.amsl.com>; Wed, 1 Feb 2012 17:54:22 -0800 (PST)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) by ietfa.amsl.com (Postfix) with ESMTP id A839911E8087 for <spfbis@ietf.org>; Wed, 1 Feb 2012 17:54:22 -0800 (PST)
Received: from mailout03.controlledmail.com (localhost [127.0.0.1]) by mailout03.controlledmail.com (Postfix) with ESMTP id 1E31BD0408B; Wed, 1 Feb 2012 19:54:22 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1328147662; bh=lUJUPdv2kAuRqQQFl2B/jeVLLZK7j5cqRON/YJxRAg4=; h=References:In-Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding:Subject:From:Date:To:Message-ID; b=ARYpcTekxvsXOSq/R7QlFn7cJfY1BnplP01IzcV9+dfz17vqbCkBFIDPc2heb0wXu kWazUe+GD85jhRcy9JFelSkQmmKGJT6nyZKTDSWqTtwUgQfXhHI5hAZc/P5MeKfhtU 63MZZzoFYWPLilam5W7hVTjvzxlryHbE6kHe1tNE=
Received: from [192.168.111.101] (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id CE2D2D04025; Wed, 1 Feb 2012 19:54:21 -0600 (CST)
References: <4F28DBB7.5070101@qualcomm.com> <4F29E395.3020100@mail-abuse.org>
User-Agent: K-9 Mail for Android
In-Reply-To: <4F29E395.3020100@mail-abuse.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
From: Scott Kitterman <spf2@kitterman.com>
Date: Wed, 01 Feb 2012 20:53:42 -0500
To: spfbis@ietf.org
Message-ID: <5905d04c-42eb-42f0-b580-1fb654cfe5af@email.android.com>
X-AV-Checked: ClamAV using ClamSMTP
Subject: Re: [spfbis] Updated charter - final review
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2012 01:54:23 -0000

Douglas Otis <dotis@mail-abuse.org> wrote:

>On 1/31/12 10:29 PM, Pete Resnick wrote:
>> All,
>>
>> I have made some updates to the charter based on feedback during IESG
>
>> review. If I can sneak it onto the Thursday telechat this week, I 
>> might, but the IESG might be none too pleased for me to put it on so 
>> late, so it may wait two more weeks. We'll see.
>>
>> Please review the below and see if there is anything that makes your 
>> head explode.
>Dear Pete,
>
>At any inbound SMTP server, there may be attempts to resolve an 
>extensive list of IPv4 and IPv6 addresses associated with SPF records 
>whether referenced from insecure SMTP Mail From or HELO/EHLO
>parameters. 
>SMTP services must cope with an extensive amount of unwanted traffic
>and 
>will therefore have extensive provisioning. SMTP distributed attacks 
>will be extremely difficult for any single SMTP recipient to detect.
>Nor 
>will victims of an attack be aware of the triggering messages. Victims 
>of this type of attack may not even exchange SMTP traffic.
>
>Most sources of unwanted SMTP traffic originate from insecure hosts. 
>Resulting SPF related DNS transactions performed by receiving SMTP 
>servers will obfuscate their source. In addition,
>Authentication-Results 
>header fields, that may be added to forwarded messages, exclude source 
>IP addresses. Even when victims of targeted attacks are known,
>proactive 
>protection at either SMTP or DNS services can be thwarted by SPF’s
>macro 
>capabilities. SPF’s macros makes it impractical to identify records or 
>messages involved in an attack which may also lead to extensive traffic
>
>amplification.
>
>DDoS vulnerabilities may result from the distributed nature of SMTP 
>messages and receipt of DNS traffic related to SPF validation which may
>
>consume all of a victim's available resources. Whether an attack 
>leverages HELO/EHLO subdomains or more significantly an email-address 
>local-part, the overall number of transactions involved can be
>extensive 
>while demanding little of the sender’s resources. An SPF ‘mx’ or ‘ptr’ 
>mechanism limit corresponds to a ten times greater number of DNS 
>resource record resolutions. SPF deployment would be significantly
>safer 
>where recipients employ reasonable limits for the permitted number of 
>resulting DNS failures.
>
>Determining reasonable DNS error limits for SPF should be part of the
>WG 
>charter. Potential victims of SPF amplifications will not represent 
>those needing to change the SPF process.

The charter already covers this. If there are operational problems with the current design, it's in scope to address them.

Scott K

v2.23.0 | Report a Bug | By Email