ietf-asrg
[Top] [All Lists]

Re: [Asrg] 6. Proposals - RMX-like implementation via rDNS

2003-09-11 09:39:20
Have a (or another) look at DRIP; it achieves most of what you're looking
for.

        http://www.ietf.org/internet-drafts/draft-brand-drip-01.txt


Raymond S Brand


waltdnes(_at_)waltdnes(_dot_)org wrote:

  I'm not quite certain whether this should go in "6. Proposals" or
"7. BCP".  It's a proposal that can be implemented by a change in
current practices.  No re-writing of core software is required.  The
idea is to allow MTA's to infer from IP addresses and/or rDNS, whether a
particular IP address is authorized to send email.

Rationale
=========

  Much of today's spam comes direct-to-MX via compromised home machines
on dynamic IP addresses.  The dynamic nature of these IP addresses
reduces the effectiveness of DNSbls of compromised machines.  The next
step is to pre-emptively block email from *ALL* dynamic addresses.  The
problem is that there are so many, that the zones get huge.  For
instance, RoadRunner is reported to have 24 SMTP servers and 15,696 /24
DHCP blocks.  Whitelisting the 24 SMTP servers, and blocking everything
else with an rDNS ending in "rr.com" would be much easier than blocking
15,696 /24 DHCP blocks.  An associated problem is keeping track of ISPs'
residential service address ranges as ISPs expand and get new blocks of
IP addresses.

The proposal
============

  The proposal is that ISPs publish a list of their outbound email
servers and any static IP address ranges that are authorized to send
email direct-to-MX.  All other IP addresses within the ISP's domain
would be assumed to be unauthorized to send email direct-to-MX.  The
publishing could be on a web page.  The addresses could be either
numeric, or rDNS patterns.  A real-life example is AOL.

  - Their dialup IP addresses have rDNS ending with ipt.aol.com
  - AOL attempts (not always successfully) to intercept outbound SMTP
    connections direct-to-remote-MX from its dialups and relay them via
    servers with rly-ipXX.mx.aol.com, where XX is a number from 00 to 99.
  - Email sent from dialups via "official channels" (i.e. AOL's email
    gateways) goes out via servers with rDNS ending imo-rXX.mx.aol.com.

  Thus, rejecting *.ipt.aol.com and rly-ip[0-9][0-9].mx.aol.com is
sufficient to block unauthorized senders using AOL's dialups.  If your
MTA's pattern-matching isn't that flexible, you can hardcode in the
following rDNS or IP addresses...

rly-ip01.mx.aol.com has address 205.188.156.49
rly-ip02.mx.aol.com has address 152.163.225.160
rly-ip03.mx.aol.com has address 64.12.138.7
rly-ip04.mx.aol.com has address 64.12.138.8
rly-ip05.mx.aol.com has address 64.12.138.9
rly-ip06.mx.aol.com has address 205.188.156.51

  That, plus *.ipt.aol.com, gives a grand total of 7 rDNS patterns to
block.  This is much easier to handle than a DNSbl zone of dialups.

  To get an up-to-date list of rly-ipXX.mx.aol.com machines, run the
following script...

#!/bin/bash
i=0
while [ ${i} -lt 10 ]
do
  j=0
  while [ ${j} -lt 10 ]
  do
    host rly-ip${i}${j}.mx.aol.com | grep -v "not found:"
    j=$(( $j + 1 ))
  done
  i=$(( $i + 1 ))
done

Advantages
==========

  1) This proposal does *NOT* require new types of DNS records or other
protocols.  It can be implemented within the existing structure.  AOL
already does this, an example that it can be done.

  2) Lists of authorized sending addresses/rDNS-patterns will generally
be much smaller than lists of residential IP addresses.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg