[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trouble with Sender Authentication

To: John Levine <johnl@xxxxxxxx>
Subject: Re: Trouble with Sender Authentication
From: Dean Anderson <dean@xxxxxxx>
Date: Fri, 10 Nov 2006 12:07:59 -0500 (EST)
Cc: ietf-mxcomp@xxxxxxx
In-reply-to: <20061110052408.5482.qmail@xxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx

On 10 Nov 2006, John Levine wrote:

> I do agree that the DNS threat from SPF is not qualitatively worse
> than what we already put up with for CNAMEs.

Actually, the top candidates for DNS amplification abuse are large SPF
records, followed by large collections IN-ADDR records for a single IP,
as is the case for large virtual hosting sites.  Both practices are
advocated by anti-spammers.

I recently saw a ~4k byte SPF record, published by an anti-spam site.  
DNSSEC signed SPF records will probably break the 8K limit.

Thats about a 90 to 1 amplification factor.

You can get some amplification with any record type.  You can only get
the high amplification with certain types and certain practices.

		--Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000

References:
- Re: Trouble with Sender Authentication
  - From: John Levine

Prev by Date: Re: Trouble with Sender Authentication
Previous by thread: Re: Trouble with Sender Authentication
Next by thread: Lonlwgj
Index(es):
- Date
- Thread