I'm not an expert on DNS, and I don't know how difficult the
following would be, but here goes...
Pre-Amble
=========
A lot of today's spam comes from compromised home machines. DNSbls
of dynamic IP address allocations attempt to list these ranges, but are
having extreme difficulty keeping up with ever-expanding allocations.
The basic problem is that there are hundreds of millions, if not low
billions, of dynamic IP addresses, and a much smaller number of MTAs
which should be sending email. Attempting to keep track of dynamic IP
addresses is doing things "the hard way". It would take much less
effort to keep track of authorized senders within a range op IP addresses.
RMX and similar proposals attempt to address this problem, but would
require structural changes in bind and in DNS client software, which
makes acceptance and implementation problematical.
The Proposal
============
I propose additional functionality in DNSbls. The best explanation
is via example.
- assume the existance of DNSbl mta_list_zone.tld
- assume that your MTA is contacted by a machine with IP address
10.9.8.7 and rDNS of really.bad.example.com.
Your MTA would do a DNS query for
really.bad.example.com.7.8.9.10.mta_list_zone.tld
The DNSbl would implement the following logic...
- if address 10.9.8.7 is in the list of authorized MTAs, the return
value would be 127.0.0.2, i.e. OK to accept
- if address 10.9.8.7 is not in the list of authorized MTAs, and
mta_list_zone.tld considers itself authoratative for either
bad.example.com or example.com, the return value would be
127.0.0.3, i.e. recommend rejection
- if address 10.9.8.7 is not in the list of authorized MTAs, and
mta_list_zone.tld doesn't consider itself authoratative for either
bad.example.com or example.com, the return value would be
127.0.0.4, i.e. don't know
Advantages
==========
- Like RMX etal, this proposal would require keeping track of far
fewer addresses than dynamic IP address DNSbls.
- Unlike RMX etal, it would not be necessary to register your domain
with the list. Using an authorized MTA would be sufficient
- Unlike RMX etal, no new DNS records or changes to bind or DNS
client software would be required. All the changes would be in MTA
filter/blocking plugins (milter, etc) and DNSbls.
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg