[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review

To: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Subject: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
From: John Leslie <john at jlc.net>
Date: Mon, 25 May 2009 13:12:13 -0400
Delivered-to: asrg at core3.amsl.com
In-reply-to: <6684E747-55CB-4BB3-B838-9F4FE906AFE7 at mail-abuse.org>
List-archive: <http://www.irtf.org/mail-archive/web/asrg>
List-help: <mailto:asrg-request@irtf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-post: <mailto:asrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
References: <003d01c9dd01$bf3531d0$800c6f0a at china.huawei.com> <4A1A45BA.5030704 at swin.edu.au> <3be421270905250718y5d62f6d5odb6f2bebecf418d0 at mail.gmail.com> <6684E747-55CB-4BB3-B838-9F4FE906AFE7 at mail-abuse.org>
Reply-to: Anti-Spam Research Group - IRTF <asrg at irtf.org>
User-agent: Mutt/1.4.1i

Douglas Otis <dotis at mail-abuse.org> wrote:
> 
> http://amir.herzberg.googlepages.com/somerecentpapers
> 
> This paper refers to DNS poisoning without fully exploring how SPF  
> might be used to enable DNS poisoning.

   Doug perhaps asks too much... But the paper does explain a particular
exploit, where SPF records are used to cause particular DNS queries at
"known" times, to which forged responses can be spoofed, potentially
greatly increasing the risk of DNS poisoning.

   Discussion of that particular exploit does seem in scope.

   The paper is somewhat disappointing in only mentioning "rate limiting"
and "dedicated DNS proxy" as countermeasures, without any particulars.

   Is there any interest in fleshing out these countermeasures?

> SPF supports the use of macros to access A, AAAA, PTR and TXT DNS  
> resource records.  These macros might expand local-parts within the  
> email-message, which means SPF records may NOT be fully cacheable.   
> Subsequent record resolutions can be triggered by the SPF macros,  
> where as may as one hundred such record resolutions can occur when  
> resolving a single SMTP source authorization.

   This sounds like the sort of issue where a "dedicated DNS proxy"
for SPF queries could apply rate-limiting to good advantage. Of
course, it would end up deliviering "less" than SPF proponents have
been claiming as SPF's "advantages;" but I suspect Doug is not alone
in considering such a "feature" as beneficial.

   ;^)

--
John Leslie <john at jlc.net>

References:
- [Asrg] 答复: DNS-based Email Sender Authentication Mechanisms: aCritical Review
  - From: Sean Shen
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentication Mechanisms: aCritical Review
  - From: grenville armitage
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentication Mechanisms: aCritical Review
  - From: Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
  - From: Douglas Otis

Prev by Date: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
Next by Date: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
Previous by thread: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
Next by thread: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
Index(es):
- Date
- Thread