Re: Windows XP denial of service 0day found in CTF exercise

[Valdis.Kletnieks () vt edu]

On Tue, 17 Apr 2012 17:48:47 -0400, "Elazar Broad" said:

> At least configure your SPF record policy to hard fail, and consider Domain Keys and/or DMARC.

Given where his MX's point, and the fact that the SPF includes a :include that
points at another domain, simply setting it to "hard fail" without breaking his
e-mail may or may not be easy to do.  Similarly, if he sets it to hard fail, he
probably can't turn on DKIM without the cooperation of the domain listed in the
:include

(A *lot* of sites that do SPF only code 'soft fail' so that other tools like
spamassassin can add a few points if the mail comes from an "unexpected" place,
but don't want to have hard-fail because that can break users.  For instance,
we don't publish a hard-fail because that results in a support headache if one
of our professors goes to a conference and sends e-mail from his hotel room -
and the hotel network hijacks the connection.  *loads* of fun to sort that out
when the professor calls our help desk from Seattle or Tokyo.  And of course,
he's a chemical engineering professor, so has zero network debugging tools on
the laptop...)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/