[spfbis] SPFbis WG scope
Douglas Otis <dotis@mail-abuse.org> Sat, 17 December 2011 03:52 UTC
Return-Path: <dotis@mail-abuse.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F105B11E808A for <spfbis@ietfa.amsl.com>; Fri, 16 Dec 2011 19:52:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.408
X-Spam-Level:
X-Spam-Status: No, score=-102.408 tagged_above=-999 required=5 tests=[AWL=0.191, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9sraqytvpE2 for <spfbis@ietfa.amsl.com>; Fri, 16 Dec 2011 19:52:38 -0800 (PST)
Received: from mailserv.mail-abuse.org (mailserv.mail-abuse.org [150.70.98.118]) by ietfa.amsl.com (Postfix) with ESMTP id 7CAA711E8080 for <spfbis@ietf.org>; Fri, 16 Dec 2011 19:52:38 -0800 (PST)
Received: from US-DOUGO-MAC.local (sjdcluxgateway2.sdi.trendnet.org [10.31.37.9]) by mailserv.mail-abuse.org (Postfix) with ESMTPSA id 3F66B17401C7 for <spfbis@ietf.org>; Sat, 17 Dec 2011 03:52:37 +0000 (UTC)
Message-ID: <4EEC1204.2000707@mail-abuse.org>
Date: Fri, 16 Dec 2011 19:52:36 -0800
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: SPFbis discussion list <spfbis@ietf.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [spfbis] SPFbis WG scope
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Dec 2011 03:52:39 -0000
Attempts to elevate SPF to a standards track document just as Carrier Grade or Large Scale NATs appear distracts from a greater need to provide scalable cryptographic validation for SMTP servers. SPF provides little protection against spoofing since MAILFROM is not seen. Efforts to extend SPF to include PRA suffers from similar problems since malefactors can use unseen PRA header fields as well. The macro expansion required for SPF processing risks DDoS threats with little justification. For example, SPF evaluation may require subsequent transactions formed by email-address local-parts. Since most spam campaigns already modify source address local-parts, any targeted attack against a domain (which may not be present within these messages) will not burden malefactor's DNS since SPF records referenced by the domain portion of the email address will have been cached. This permits both spamming and DDoS to occur simultaneously that exploits SPF's burden placed upon recipient resources. Use of "exists" macros is equally nonsensical. Any message with an email address pointing to existing resource records as dictated by SPF macros reveals absolutely nothing about who sent the message! The 10 mechanism macro limit must include subsequent transactions necessary to resolve authorized IP address lists. Even this seemingly low limit can result in significant levels of network amplification oweing to processing burdens placed upon recipients. While email providers are unlikely targets, and processing complex SPF macros are seldom logged, there would be few clues regarding this attack from a victims perspective. Assumptions that a valid authorization confirms the action of a domain is also wrong. Often these authorizations are essential to ensure delivery can be accomplished by various email providers. Rather than expecting recipients to discern whether an entire sequence of email deliveries properly executed the "who's it" handshake and that no one is lying all depends upon the last provider in the sequence. Recipients should be allowed to either trust the last provider or not, where authentication of this last provider represents the only scalable solution. http://tools.ietf.org/html/draft-kucherawy-dkim-atps-11 provides a "single" transaction method for DKIM signers to authorize all last in sequence providers. There is no reason to muddle with the return path for DSNs since this will further lower email integrity. -Doug
- Re: [spfbis] SPFbis WG scope Scott Kitterman
- [spfbis] SPFbis WG scope Douglas Otis
- Re: [spfbis] SPFbis WG scope Julian Mehnle
- Re: [spfbis] SPFbis WG scope Murray S. Kucherawy
- Re: [spfbis] SPFbis WG scope Alessandro Vesely
- Re: [spfbis] SPFbis WG scope Julian Mehnle
- Re: [spfbis] SPFbis WG scope Alessandro Vesely
- Re: [spfbis] SPFbis WG scope Murray S. Kucherawy
- Re: [spfbis] SPFbis WG scope Alessandro Vesely
- Re: [spfbis] SPFbis WG scope Murray S. Kucherawy
- Re: [spfbis] SPFbis WG scope Scott Kitterman
- Re: [spfbis] SPFbis WG scope Douglas Otis
- Re: [spfbis] SPFbis WG scope Dave CROCKER
- Re: [spfbis] SPFbis WG scope Dave CROCKER
- Re: [spfbis] SPFbis WG scope Tim Draegen
- Re: [spfbis] SPFbis WG scope Scott Kitterman
- Re: [spfbis] SPFbis WG scope Hector Santos
- Re: [spfbis] SPFbis WG scope Hector Santos
- Re: [spfbis] SPFbis WG scope Alessandro Vesely
- Re: [spfbis] SPFbis WG scope Dave CROCKER
- Re: [spfbis] SPFbis WG scope Dave CROCKER
- Re: [spfbis] SPFbis WG scope Scott Kitterman
- Re: [spfbis] SPFbis WG scope Hector Santos
- Re: [spfbis] SPFbis WG scope Dave CROCKER
- Re: [spfbis] SPFbis WG scope Murray S. Kucherawy
- Re: [spfbis] SPFbis WG scope Murray S. Kucherawy
- Re: [spfbis] SPFbis WG scope Dave CROCKER
- Re: [spfbis] SPFbis WG scope Murray S. Kucherawy
- Re: [spfbis] SPFbis WG scope Tim Draegen
- Re: [spfbis] SPFbis WG scope Douglas Otis
- Re: [spfbis] SPFbis WG scope Scott Kitterman
- Re: [spfbis] SPFbis WG scope Douglas Otis
- Re: [spfbis] SPFbis WG scope Tim Draegen
- Re: [spfbis] SPFbis WG scope Douglas Otis
- Re: [spfbis] SPFbis WG scope Dave CROCKER