On 10 sep 2013, at 13:39, "Murray S. Kucherawy" <superu...@gmail.com> wrote:
> On Tue, Sep 10, 2013 at 4:04 AM, Patrik Fältström <p...@frobbit.se> wrote: > What we did look at was first of all every query for an MX resource record. > Then we look at +/-1 second from the timestamp of that MX query for TXT > and/or SPF record for the same owner. We draw the conclusion that if there is > a query for an MX record, and then either TXT or SPF (or both) within the > approximately same timespan, then they are related queries. > > I'm not sure that's a valid conclusion. Since MX is needed only for a > sending system, a receiving system doing an SPF check of either type has no > reason to query for MX. The exception to this might be a heuristic check to > see if the domain in the MAIL FROM has MX or A published such that a reply > appears to be possible, but I wouldn't expect a strong correlation in your > data. True. View my explanation just like it was, how we did our calculations. Conclusions can anyone draw from the data. The problem is that if one look at just queries to a root server like this, there is lots of what I would call "junk". When looking at TLDs, we saw about 162 million different TLDs each 24h in the QNAME. We saw this time also for example queries for SPF and other RR Types where the QNAME was an IPv4 address (for example "10.2.3.4."). So, we found _some_ algorithm was needed instead of "just" counting queries, and we did count the way I just explained. Patrik
