Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Discuss
Current spf record for comcast.net?
james at buszard-welcher
Feb 10, 2007, 1:03 AM
Post #1 of 3 (5033 views)
Permalink
Hello, I saw all the traffic here:

http://www.gossamer-threads.com/lists/spf/discuss/30522?do=post_view_threaded#30522

I came up with a list similar to Rene's before I found this great
discussion group.

My problem is that I don't want to allow a wide comcast.net CIDR block
to be able to spoof my domains.

It seems really problematic also to include 40 hosts via the a: syntax
in the TXT record. I'm using DJB's tinydns and it has some issues with
long TXT fields. It splits them over 127 characters (although
according to the spec, most clients should be able to reconstruct),
but over a certain length aproaching the 512 byte limit of UDP DNS
packets, tinydns can't provide this data because DNS uses TCP for
bigger records.

Regardless... I'm trying to find a way to use SPF to add a list of
arbitrary hosts without having to list them all individually, but
without adding in monster CIDR block ranges.

So what I did was set up some dummy host/domains in my own namespace
that look something like this (here is the BIND formatted version):

; comcast crap
alnrmhc IN MX 10 alnrmhc11.comcast.net.
alnrmhc IN MX 10 alnrmhc12.comcast.net.
alnrmhc IN MX 10 alnrmhc13.comcast.net.
alnrmhc IN MX 10 alnrmhc14.comcast.net.
alnrmhc IN MX 10 alnrmhc15.comcast.net.
alnrmhc IN MX 20 alnrmhc16.comcast.net.
alnrmhc IN MX 20 alnrmhc17.comcast.net.
alnrmhc IN MX 20 alnrmhc18.comcast.net.
alnrmhc IN MX 20 alnrmhc19.comcast.net.
alnrmhc IN MX 20 alnrmhc20.comcast.net.
alnrmhc IN MX 20 alnrmhc21.comcast.net.
alnrmhc IN MX 20 alnrmhc22.comcast.net.
alnrmhc IN MX 20 alnrmhc23.comcast.net.

So I do this for the various comcast outbound smtp servers and
point to it in my SPF TXT record:

IN TXT "v=spf1 a mx mx:alnrmhc.buszard-welcher.com
mx:rwcrmhc.buszard-welcher.com mx:sccrmhc.buszard-welcher.com -all"

Anyway, it seems to be working for "buszard-welcher.com" now.

The big problem is, of course, comcast can change their
outbound SMTP servers at anytime...

but I live dangerously... they could change my DHCP IP address
at any time, I'm not using dyndns or anything... but it
stays relatively constant (on the order of months).


--
James Welcher, james{at}buszard-welcher.com, jwelcher{at}gmail.com
http://jameswelcher.livejournal.com AIM{jbwelcher} SKYPE{jwelcher}

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735
Re: Current spf record for comcast.net? [ In reply to ]
julian at mehnle
Feb 10, 2007, 3:16 AM
Post #2 of 3 (4895 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Welcher wrote:
> My problem is that I don't want to allow a wide comcast.net CIDR block
> to be able to spoof my domains.
>
> It seems really problematic also to include 40 hosts via the a: syntax
> in the TXT record. I'm using DJB's tinydns and it has some issues with
> long TXT fields. It splits them over 127 characters (although
> according to the spec, most clients should be able to reconstruct),
> but over a certain length aproaching the 512 byte limit of UDP DNS
> packets, tinydns can't provide this data because DNS uses TCP for
> bigger records.
>
> Regardless... I'm trying to find a way to use SPF to add a list of
> arbitrary hosts without having to list them all individually, but
> without adding in monster CIDR block ranges.

There are two other solutions besides the one you described:

1. Publish A records for their servers' IP addresses:
91.225.127.204.comcast.spf.yourdomain.com. IN A 127.0.0.1
51.177.18.206.comcast.spf.yourdomain.com. IN A 127.0.0.1
...
and then say "exists:%{ir}.comcast.spf.%{d}" or something in your SPF
record. (This may not be more maintainable than your MX solution, but
it is more general and allows for large, arbitrary sets of IP
addresses.)

2. If you're a Comcast customer, contact them and tell them that you'd
like them to publish an SPF record (and keep it up to date). Then
"include:" that SPF record as soon as they publish it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFzampwL7PKlBZWjsRAnzJAJ9XG0I+VtebMSWpkWbCOQjZrGuqWACgg3KD
ZzH07FJzzcU6iHgILnG0XNA=
=J82p
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735
Re: Re: Current spf record for comcast.net? [ In reply to ]
dmquigg-spf at yahoo
Feb 10, 2007, 4:28 AM
Post #3 of 3 (4898 views)
Permalink
At 11:16 AM 2/10/2007 +0000, Julian Mehnle wrote:
>James Welcher wrote:
> > My problem is that I don't want to allow a wide comcast.net CIDR block
> > to be able to spoof my domains.
> >
> > It seems really problematic also to include 40 hosts via the a: syntax
> > in the TXT record. I'm using DJB's tinydns and it has some issues with
> > long TXT fields. It splits them over 127 characters (although
> > according to the spec, most clients should be able to reconstruct),
> > but over a certain length aproaching the 512 byte limit of UDP DNS
> > packets, tinydns can't provide this data because DNS uses TCP for
> > bigger records.
> >
> > Regardless... I'm trying to find a way to use SPF to add a list of
> > arbitrary hosts without having to list them all individually, but
> > without adding in monster CIDR block ranges.
>
>There are two other solutions besides the one you described:
>
> 1. Publish A records for their servers' IP addresses:
> 91.225.127.204.comcast.spf.yourdomain.com. IN A 127.0.0.1
> 51.177.18.206.comcast.spf.yourdomain.com. IN A 127.0.0.1
> ...
> and then say "exists:%{ir}.comcast.spf.%{d}" or something in your SPF
> record. (This may not be more maintainable than your MX solution, but
> it is more general and allows for large, arbitrary sets of IP
> addresses.)
>
> 2. If you're a Comcast customer, contact them and tell them that you'd
> like them to publish an SPF record (and keep it up to date). Then
> "include:" that SPF record as soon as they publish it.

3. Use another ESP for your outbound. I use controlledmail.com: small but
excellent service if you ever have a problem, and yahoo.com: no service,
but huge clout with receivers. Yahoo doesn't publish an SPF record, but
they do seem to police their entire IP range quite well.

-- Dave


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal