ietf-asrg
[Top] [All Lists]

[Asrg] MTX, a distributed DNS whitelist requiring IP and domain ownership

2010-02-15 12:38:17
http://www.chaosreigns.com/mtx/

It is implemented as a SpamAssassin plugin (except for Policy records).

I believe it is the only MARID (DNS whitelist) that requires ownership of
both the sending IP (PTR record delegation) and an associated domain
(that contained in the value of the PTR record of the delivering IP).

Also, it doesn't break current forwarding implementations as SPF does,
because it does not imply that the email is coming from the associated
domain, merely being authorized by it.

It was largely inspired by this barrier to adoption of SPF.

Basically the entire thing is:

1) Receive an email from IP.
2) Get host name from PTR record value for IP.
3) Get value of A record named IPReversed.mtx.HostName.
4) If the value is 127.*.*.1: Pass.  Otherwise: Fail.

Blacklisting, of course, is required.  I believe maintaining a blacklist
of (non-throwaway) spammer domains using MTX (against the sending IP's
PTR record), and possibly IP's which spam with MTX, will be significantly
easier than maintaining current IP blacklists.

I believe the more this is adopted, the more spammers will be required to
own the transmitting IP *and* a throwaway domain.  And I think if we pin
them down that far, ability to focus on the throwaway domains and IPs
used with MTX will make those problems more manageable.  

Yesterday I added Policy records to indicate level of participation per
domain, very similar to SPF's ?ALL / ~ALL / -ALL, meaning Neutral /
SoftFail / Fail.  This will allow more rejection of IPs without MTX
records from participating domains in the short term, and if MTX ever
becomes sufficiently wide spread, the Policy records can be ignored,
and all email that doesn't pass MTX can be rejected.  MTX's HardFail is
equivalent to SPF's Fail.  MTX's Fail includes all of Neutral, SoftFail,
and HardFail, and None which is equivalent to Neutral.  An MTX record
can also contain the value 127.*.*.0 to indicate a HardFail.

Example possible SpamAssassin scores for these values, now:

MTX_PASS -4
MTX_FAIL 0
MTX_NEUTRAL 0
MTX_SOFTFAIL 1
MTX_HARDFAIL 100

I hope that MTX_FAIL can be gradually increased as MTX is adopted.
MTX_NEUTRAL, MTX_SOFTFAIL ,and MTX_HARDFAIL should be used as a group, only
when MTX_FAIL is not used (since it contains them).

The blacklist implementation associates a SpamAssassin score with each
blacklisted domain, so, for example, a pure spammer domain:

MTX_BLACKLIST *.example.com 100

Or a legitimate domain which has a problem controlling its spam emission,
only countering the benefits of MTX_PASS:

MTX_BLACKLIST *.example.com 4


Should I use "mtx" or "_mtx" in the "A" record names?  _mtx appears to be
in compliance with RFC, but bind's default configuration appears to be in
violation, rejecting records with underscores.  I am concerned that the
underscore might be a problematic barrier to adoption because of similar
default behaviors.

Should I change the name of "policy" records to something else?


How can I make this better?

How can I get people to use it?

I would also appreciate testing / feedback for the implementation.

-- 
"It is better to die on your feet than to live on your knees."
 - Emiliano Zapata, Mexican Revolution Leader
http://www.ChaosReigns.com
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg