6. Proposals - DNS-based - RMX (was Re: [Asrg] 0. General - Administrati

First of all, please keep in mind the posting guidelines 
(http://www.irtf.org/asrg/asrg_mailing_list_information.htm) - change the 
subject when necessary. This would apply under RMX and related proposals in 
item #6.
Second, please take a look at the DNS-based proposals from the work item 
list 
(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg06938.html):
Designated Senders Protocol:  A Way to Identify Hosts Authorized to Send 
SMTP Traffic (http://www.pan-am.ca/draft-ietf-asrg-dsprotocol-00.txt)
Hadmut Denish's proposal 
(http://www.ietf.org/internet-drafts/draft-danisch-dns-rr-smtp-02.txt)
DRIP proposal (not listed in the work item list yet)

Also, check the mailing list archive - there have been numerous discussions 
on DNS-based proposals and many of the things are being repeated again.
Yakov


At 09:46 PM 8/30/2003, Brad Knowles wrote:
> At 7:58 PM -0500 2003/08/30, Steven F Siirila wrote:
>
> >  You missed the point.  Spammers do NOT control the DNS for trojanned PC's
> >  and open proxies which appear to be our primary problem now.  Direct 
> > spammers
> >  are the easiest ones to catch already; who cares if they want to better
> >  identify themselves?
>         No, but they control their own DNS.  Depending on how this sort 
> of system would be expected to work, anybody could claim to be an MTA in 
> {HE|EH}LO, and when you look up the IP address under that domain, 
> lo-and-behold you find that they are authorized to send mail on behalf of 
> them -- through a wildcard that you know nothing about.
> >  That is only true if you don't require rDNS in addition.  I'm not 100% sure
> >  that everyone is going by the same definition of rDNS I am either.  By rDNS
> >  I am strictly speaking of the connection IP address, it's associated PTR
> >  record, and the A record of the name returned by the PTR.
>         To make his work, you've got to handle the possibility of the PTR 
> returning multiple names, and each name returning multiple IPs. You've 
> got to follow that chain to it's complete logical conclusion.
>         This can lead to its own form of DDoS attack on your servers.  In 
> fact, all it takes is a slightly hacked nameserver which generates new 
> records on the fly, and which returns two names for every IP address and 
> two IP addresses for every name.  In short order, you're going to have 
> more names and IP addresses to track than you have memory or disk space.
> >  With rDNS I can at least be assured that the owner of the in-addr.arpa 
> > space
> >  is the owner of the domain named in the PTR (or at least an agreement 
> > exists
> >  between the two).  BTW, having this domain makes it easier to determine an
> >  abuse address to send reports to, too.
>         The rDNS chain gets broken far, far too often.  In most cases, 
> the entity handing out the name has nothing to do with the entity owning 
> the network space, and vice-versa.
>         Moreover, you are dependant on the RIRs and LIRs doing their job. 
> Until recently, RIPE was always backed up on getting rDNS delegations 
> done, to the order of multiple years.  During the time I worked there, 
> Skynet had applied for rDNS delegations for several netblocks that RIPE 
> had issued to them in the recent past, and as of the time I left a couple 
> of years later, they still hadn't been done.
>         Then there are all the spammers operating out of stolen netblocks 
> or netblocks that haven't been issued yet, and for which they convince 
> some poor sod ISP to give them network connectivity.
>
>         At best, rDNS checks might stop naieve open proxies and 
> SoBig-like viraspam networks if they've infected machines that don't have 
> reverse DNS set up, but it would also catch a lot of SOHO operators that 
> have their own mail servers and have few options for upstream 
> connectivity (among others).
> --
> Brad Knowles, <brad(_dot_)knowles(_at_)skynet(_dot_)be>
>
> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety."
>     -Benjamin Franklin, Historical Review of Pennsylvania.
>
> GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
> !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
> tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
>
> _______________________________________________
> Asrg mailing list
> Asrg(_at_)ietf(_dot_)org
> https://www1.ietf.org/mailman/listinfo/asrg

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg