| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Apr 2012 19:10:36 -0400
From: Valdis.Kletnieks@...edu
To: "Elazar Broad" <elazar@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk, adam@...osecinstitute.com
Subject: Re: Windows XP denial of service 0day found in
CTF exercise
On Tue, 17 Apr 2012 17:48:47 -0400, "Elazar Broad" said:
> At least configure your SPF record policy to hard fail, and consider Domain Keys and/or DMARC.
Given where his MX's point, and the fact that the SPF includes a :include that
points at another domain, simply setting it to "hard fail" without breaking his
e-mail may or may not be easy to do. Similarly, if he sets it to hard fail, he
probably can't turn on DKIM without the cooperation of the domain listed in the
:include
(A *lot* of sites that do SPF only code 'soft fail' so that other tools like
spamassassin can add a few points if the mail comes from an "unexpected" place,
but don't want to have hard-fail because that can break users. For instance,
we don't publish a hard-fail because that results in a support headache if one
of our professors goes to a conference and sends e-mail from his hotel room -
and the hotel network hijacks the connection. *loads* of fun to sort that out
when the professor calls our help desk from Seattle or Tokyo. And of course,
he's a chemical engineering professor, so has zero network debugging tools on
the laptop...)
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists