Neil, SPF essentially deals with hosts and IP address ranges. Your suggested solution does not address the main problem(s) raised in the research.
One approach that potentially addresses the SPF problem of shared hosting would be for ESPs to use IPv6 address space for sending. Each customer can then be assigned unique IP addresses. An approach like this causes other potential operational problems, for example infrequent senders (think of a monthly newsletter sent at the beginning of each month). The issues presented by Chuhan Wang have actually been known and understood for quite sometime even if not well documented for a wider audience. I do agree that the title is misleading. Michael Hammer On Tue, Mar 12, 2024 at 1:38 AM Neil Anuskiewicz <neil= 40marmot-tech....@dmarc.ietf.org> wrote: > The solution to that vulnerability is in part use a subdomain and, when > possible, narrow the scope of what you permit. Better yet, choose a vendor > that’s known for tight security. A quick Look at the the security headlines > will show you some vendor red flags. But the sad state of spf is a > misleading title at best, > > On Mar 4, 2024, at 8:37 PM, Chuhan Wang <wc...@mails.tsinghua.edu.cn> > wrote: > > > > Hi Everyone, > I am Chuhan Wang from Tsinghua University, the author of paper *BreakSPF: > How Shared Infrastructures Magnify SPF Vulnerabilities Across the Internet.* > > Thanks Barry for sharing our paper presented at NDSS regarding the > vulnerabilities of SPF in this work group. I'm glad to see that our > research on BreakSPF is being discussed in the IETF work group. It's > encouraging to know that our work is contributing to important > conversations about email security. > > I am willing to discuss any questions or concerns that may arise from our > paper. Please feel free to reach out to me, and I'll be more than happy to > discuss our findings and insights with the group. > Chuhan Wang > Tsinghua University > > Begin forwarded message: > > *From: *Barry Leiba <barryle...@computer.org> > *Subject: **[dmarc-ietf] The sad state of SPF: research just presented at > NDSS* > *Date: *February 28, 2024 at 17:33:41 CST > *To: *IETF DMARC WG <dmarc@ietf.org> > > A paper was presented this morning at NDSS about the state of SPF, which > is worth a read by this group: > > > https://www.ndss-symposium.org/ndss-paper/breakspf-how-shared-infrastructures-magnify-spf-vulnerabilities-across-the-internet/ > > Barry > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
