On Thu, Jul 31, 2003 at 04:07:08PM +0200, David Saez wrote:
[I wrote, but David snipped the attribution:]
> > organisations. Also, it doesn't scale well for any organisation who respond
> > to load by bringing other machines online. There appears to be no provision
> > for killing the SPF querier by doing recursive SPFincludes, with no actual
> > data. As far as I can tell, David Saez's ACL falls to this attack.
> exim acl recursion is limited to 20 iterations, so there is no way to
> produce any damage to a Exim server. Nevertheless there will be no
Oh, well, that's great. And it's of course totally clear what your ACL will
do under that circumstance.
> recursion if there is no real recursive SPFIncludes published. No data
> produces no recursion.
huh? My point is that there's no "useful data" in the SPF thing, ie, no
SPFallow or SPFdeny or whatever it was.
foo.com IN TXT "SPFInclude=foo.org"
foo.org IN TXT "SPFInclude=foo.com"
That doesn't contain any "data" in the context of SPF, not in the context
of DNS. If I'd meant NODATA, I would have said NODATA.
> > This is
> > also by no means the first time that something like this has been mooted,
> > and every time, it's rejected, mainly because of the enormous amount of work
> > it requires (both to set up and to maintain).
> It took me 10 minutes to publish spf info for about 200 domains. I also
> do not understand your objections to how spf scales. As I know you could
> spf-allow a whole C class with a single line of configuration.
Bully for you. I'm sure everyone else's systems are configured in exactly
the same way as yours, and hence it will be just as easy for them to do...
As I've said already, this is not a new idea, and hence there's no reason
to assume that it will succeed this time.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/
