On 08/Dec/11 15:54, Dotzero wrote: >> >> The SPF draft has an example where example.org wants reports at another >> domain [email protected] That makes me nervous, the opposition >> could publish malicious DNS records for some kind of indirect attack. >> >> I don't see why that's necessary for SPF or ADSP. It might be different >> for broken or forged DKIM signatures, but generally I think that anybody >> "doing something" with mail at a domain where they can add TXT records >> can also arrange a postmaster@ or similar mailbox at this domain.
This seems to be the same conclusion that the thread started by Murray in August reached http://www.ietf.org/mail-archive/web/marf/current/msg01246.html > Some organizations (such as my own) use a 3rd party service for > handling authentication FBL emails. We don't use ADSP and the mail > flows involved are (all) DKIM signed. I recognize the risk you > indicate but I think there are much easier attack vectors than this. _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
