|
== Given a large enough spam run, SPF becomes a DDOS against the forged domain!
| | == Given a large enough spam run, SPF becomes a DDoS attack against the forged domain!
|
| |
|
Each SMTPd in a spam run may send a DNS query to the forged host's nameservers. At a million SMTPds, that's 100 megabytes of traffic!
| | Each SMTP MTA in a spam run may send a DNS query to the forged host's nameservers. At a million MTAs, that's 100 megabytes of traffic!
|
| |
|
DNS queries are still smaller than bounce messages. And most SPF lookups can be cached; only the relatively uncommon [http://www.openspf.org/mechanisms.html#exists exists] mechanism doesn't benefit from caching.
| | DNS queries are still smaller than bounce messages. And most SPF lookups can be cached; only the relatively uncommon "<tt>[[SPF Record Syntax#exists|exists]]</tt>" mechanism doesn't benefit from caching (because it is usually used with macros, which make caching difficult).
|
| |
|
Strict [http://new.openspf.org/blobs/draft-schlitt-spf-classic-02.html#anchor31 processing limits] have been put in place to mitigate the risks associated with DNS loading from SPF.
| | Strict [[RFC 4408#processing-limits|processing limits]] have been put in place to mitigate the risks associated with DNS loading from SPF.
|
| | |
