Mailing List Archive

On 06/03/2008, Jason.Price@thomson.com <Jason.Price@thomson.com> wrote:
>
>
> I apologize if this is out of scope for this list - I wasn't sure, so figured I'd give it a shot... :)
>
> Anyway, I'm looking for a utility that would allow me to query the SPF record for a given domain, and then expand that SPF record into a list of IPs - and I need to be able to do this programatically. Kind of a strange request, I know, but I need this ability for a kludge resolution of an issue that is outside the interests of this list.

Unfortunately that's only possible for a partial set of SPF mechanisms
- you couldn't translate (eg) ptr and exists mechanisms into lists of
IPs.

Peter


--
Peter Bowyer
Email: peter@bowyer.org

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://www.listbox.com/member/?member_id=1311532&id_secret=95897010-3d7186
Powered by Listbox: http://www.listbox.com

On Thu, 6 Mar 2008, Peter Bowyer wrote:

> > Anyway, I'm looking for a utility that would allow me to query the SPF
> > record for a given domain, and then expand that SPF record into a list of
> > IPs - and I need to be able to do this programatically. Kind of a strange
> > request, I know, but I need this ability for a kludge resolution of an
> > issue that is outside the interests of this list.
>
> Unfortunately that's only possible for a partial set of SPF mechanisms - you
> couldn't translate (eg) ptr and exists mechanisms into lists of
> IPs.

Not a list of IPs, but any SPF record is a map of (mailfrom,ip) pairs to
SPF results. As a thought experiment, you could evaluate the SPF record for
all 4 billion ips and cache the resulting map under the mailfrom with
a TTL that is the minimum of all TTLs encountered.

Generating the map can be done much more efficiently, however.

EXISTS - depends on which macros are used. If ip macros are not used, result
applies to all ips. If ip macro is used, you probably don't want to
query the poor exists server for all possible ips, so use lazy evaluation.
Many ips will never hit the exists, so the lazy evaluation would only
be included for ips that need it.

PTR - PTR matches must be validated, so you can start with a name. While we
can't guess *all* the names that might end in the target, we can guess a few,
like the target itself and the mailfrom, and any other matching domains
mentioned during compiling. Add any hits as ip4 mechanisms in front of the
ptr.

Because of the need for lazy evaluation, our system will "compile"
an SPF record to one with mostly IP4 mechanisms, plus a TTL. The
ip4 mechanisms can have a compact binary representation in the cache.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://www.listbox.com/member/?member_id=1311532&id_secret=95897010-3d7186
Powered by Listbox: http://www.listbox.com

On Mar 6, 2008, at 7:09 AM, <Jason.Price@thomson.com>
<Jason.Price@thomson.com> wrote:

> I apologize if this is out of scope for this list - I wasn't sure,
> so figured I'd give it a shot... :)
>
> Anyway, I'm looking for a utility that would allow me to query the
> SPF record for a given domain, and then expand that SPF record into
> a list of IPs - and I need to be able to do this programatically.
> Kind of a strange request, I know, but I need this ability for a
> kludge resolution of an issue that is outside the interests of this
> list.
>

i think the 80/20 rule would make such a utility useful, even with
the caveat that it only operates on a subset of valid SPF records,
modulo "exists" and "ptr".
>


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://www.listbox.com/member/?member_id=1311532&id_secret=95897010-3d7186
Powered by Listbox: http://www.listbox.com

Meng Weng Wong wrote:

> the 80/20 rule would make such a utility useful, even with the
> caveat that it only operates on a subset of valid SPF records,
> modulo "exists" and "ptr".

And using CIDR notation, otherwise the output could be huge... ;-)

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://www.listbox.com/member/?member_id=1311532&id_secret=95897010-3d7186
Powered by Listbox: http://www.listbox.com