SPF is harmful, covered by Microsoft's patent application, and insecure. - TCP-IP

This is a discussion on SPF is harmful, covered by Microsoft's patent application, and insecure. - TCP-IP ; ML> So send an email, while bombarding the receiving MTA with fake ML> "TXT" answers would most probably work if that MTA runs Windows ML> and port 53 is improperly blocked. RR> [...] If DNS was 100% supported over TCP/IP ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: SPF is harmful, covered by Microsoft's patent application, and insecure.

  1. SPF is harmful, covered by Microsoft's patent application, and insecure.

    ML> So send an email, while bombarding the receiving MTA with fake
    ML> "TXT" answers would most probably work if that MTA runs Windows
    ML> and port 53 is improperly blocked.

    RR> [...] If DNS was 100% supported over TCP/IP (many DNS servers only
    RR> respond to UDP/IP queries), then it would be possible for an eMail
    RR> server administrator to ensure better security in such cases.

    ML> I don't agree, although I agree many protocols are badly designed
    ML> from todays perspective. DNS is actually one of the protocols that
    ML> should be very difficult to spoof.

    Wrong. DNS/UDP has transaction ID checks that are relatively easy to
    overcome nowadays.



  2. Re: SPF is harmful, covered by Microsoft's patent application, and insecure.

    On Fri, 08 Oct 2004 03:43:05 +0000, Jonathan de Boyne Pollard wrote:

    > ML> So send an email, while bombarding the receiving MTA with fake
    > ML> "TXT" answers would most probably work if that MTA runs Windows
    > ML> and port 53 is improperly blocked.
    >
    > RR> [...] If DNS was 100% supported over TCP/IP (many DNS servers only
    > RR> respond to UDP/IP queries), then it would be possible for an eMail
    > RR> server administrator to ensure better security in such cases.
    >
    > ML> I don't agree, although I agree many protocols are badly designed
    > ML> from todays perspective. DNS is actually one of the protocols that
    > ML> should be very difficult to spoof.
    >
    > Wrong. DNS/UDP has transaction ID checks that are relatively easy to
    > overcome nowadays.
    >
    >


    First, I don't accept anything djb says without some independent proof. He
    seems right this time though. Secondly, DNS is difficult to spoof. Not
    impossible, but difficult. There are implementations that make spoofing
    more easy, but those are problems with those implementations. The MS
    resolver is particularly easy to fool.

    M4
    --
    Redundancy is a great way to introduce more single points of failure.


+ Reply to Thread