How is this going to work for asrg(_at_)ietf(_dot_)org email?
Lets say I run this code to check your dnsbl. Now you send email to asrg,
responding to this post, my MTA receives it and goes to your domain
specific dnsbl, it sees that you support it and checks ip address of the
ietf mail server and that ip is not in your dnsbl, so your email is rejected.
(Damn, And I really wanted to read your reply! :)
On 6 Mar 2003, wayne wrote:
In
<7695E2F6903F7A41961F8CF888D87EA809F01C37(_at_)red-msg-06(_dot_)redmond(_dot_)corp(_dot_)microsoft(_dot_)com>
"Jonathan Wilkins" <jwilkins(_at_)microsoft(_dot_)com> writes:
The reason I've been so vocal about the RMX proposal is that
I find it to be really objectionable since it requires a lot
of effort from a lot of people for no particular gain. It's
just another step in an arms race that has minimal long term
benefits.
Well, I'm not certain what your definition of "a lot of effort" or "a
lot of people", but domain specific DNSBLs can be implemented very
easily.
Just for kicks, I've implemented a domain specific DNSBL for my
midwestcs.com domain. To find out if the IP address is, in my
opinion, acceptable to send mail claiming to be from the midwestcs.com
domain, you need to use the smtp-out.midwestcs.com DNSBL. That is, if
the IP address is w.x.y.z, you would query
z.y.x.w.smtp-out.midwestcs.com just like any other blacklist. If it
returns 127.0.0.1, it should be rejected. If the A record is not
found, it should be accepted.
I created this domain specific DNSBL by adding the following lines to
my zone file:
; default entry: reject
*.smtp-out IN A 127.0.0.1
; acceptable sending IP addresses
234.212.222.206.smtp-out IN CNAME OK
237.212.222.206.smtp-out IN CNAME OK
; just in case
OK IN TXT OK
The next step is to use this black list. Just because it was easy for
me, I hacked on SpamAssassin to check for domain specific DNSBLs. I
did this by adding the following fuction to EvalTests.pm:
sub check_dsdnsbl {
my ($self, $set) = @_;
my $from = $self->get ('Reply-To:addr');
if (!defined $from || $from !~ /\(_at_)\S+/) {
$from = $self->get ('From:addr');
}
return 0 unless ($from =~ /\@(\S+)/);
$from = $1;
dbg ("checking domain specific DNSBL for $from", "rbl", -1);
return check_rbl( $self, $set, "smtp-out.$from", 1 );
}
I also had to add the following to my local.cf file:
# check domain specific DNSBL
header RCVD_IN_DSDNSBL rbleval:check_dsdnsbl('smtp-out')
describe RCVD_IN_DSDNSBL Received via Domain Specific DNSBL of sender
tflags RCVD_IN_DSDNSBL net
score RCVD_IN_DSDNSBL 1.0
Ok, as of tonight, anyone in the world can find out if an IP address
should be sending you email claiming they are from my domain, and any
domain in the world will be checked by me for the same thing. This
isn't much, but it is a start.
I suspect it would be about as much work to add this check to a
sendmail.cf file, but about 10 years ago I decided that hacking on
sendmail.cf files was less fun than pounding my fingers with a
hammer. Someone who enjoys this kind of thing would need to do that.
It shouldn't be hard to add this kind of check to any MTA that already
supports DNSBLs, such as exim.
Oh! Before anyone adds the above code to their SpamAssassin, that my
copy of SA has fixes for the DNSBL checks. SA's DNSBL checks are
pretty bogus because the check from the originating end of the receive
chain, which of course can be completely faked. To the best of my
knowledge, this is still broken in the just released 2.50 version.
Anyway, consider this a "proof of concept". I welcome any comments or
suggestions about it.
-wayne
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg