[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pros and cons of RMX (Re: [Asrg] Declaration to the world)
How is this going to work for asrg@ietf.org email?
Lets say I run this code to check your dnsbl. Now you send email to asrg,
responding to this post, my MTA receives it and goes to your domain
specific dnsbl, it sees that you support it and checks ip address of the
ietf mail server and that ip is not in your dnsbl, so your email is rejected.
(Damn, And I really wanted to read your reply! :)
On 6 Mar 2003, wayne wrote:
> In <7695E2F6903F7A41961F8CF888D87EA809F01C37@red-msg-06.redmond.corp.microsoft.com> "Jonathan Wilkins" <jwilkins@microsoft.com> writes:
>
> > The reason I've been so vocal about the RMX proposal is that
> > I find it to be really objectionable since it requires a lot
> > of effort from a lot of people for no particular gain. It's
> > just another step in an arms race that has minimal long term
> > benefits.
>
> Well, I'm not certain what your definition of "a lot of effort" or "a
> lot of people", but domain specific DNSBLs can be implemented very
> easily.
>
>
> Just for kicks, I've implemented a domain specific DNSBL for my
> midwestcs.com domain. To find out if the IP address is, in my
> opinion, acceptable to send mail claiming to be from the midwestcs.com
> domain, you need to use the smtp-out.midwestcs.com DNSBL. That is, if
> the IP address is w.x.y.z, you would query
> z.y.x.w.smtp-out.midwestcs.com just like any other blacklist. If it
> returns 127.0.0.1, it should be rejected. If the A record is not
> found, it should be accepted.
>
> I created this domain specific DNSBL by adding the following lines to
> my zone file:
>
> ; default entry: reject
> *.smtp-out IN A 127.0.0.1
> ; acceptable sending IP addresses
> 234.212.222.206.smtp-out IN CNAME OK
> 237.212.222.206.smtp-out IN CNAME OK
> ; just in case
> OK IN TXT OK
>
>
> The next step is to use this black list. Just because it was easy for
> me, I hacked on SpamAssassin to check for domain specific DNSBLs. I
> did this by adding the following fuction to EvalTests.pm:
>
> sub check_dsdnsbl {
> my ($self, $set) = @_;
>
> my $from = $self->get ('Reply-To:addr');
> if (!defined $from || $from !~ /\@\S+/) {
> $from = $self->get ('From:addr');
> }
> return 0 unless ($from =~ /\@(\S+)/);
> $from = $1;
>
>
> dbg ("checking domain specific DNSBL for $from", "rbl", -1);
>
> return check_rbl( $self, $set, "smtp-out.$from", 1 );
> }
>
>
> I also had to add the following to my local.cf file:
>
> # check domain specific DNSBL
> header RCVD_IN_DSDNSBL rbleval:check_dsdnsbl('smtp-out')
> describe RCVD_IN_DSDNSBL Received via Domain Specific DNSBL of sender
> tflags RCVD_IN_DSDNSBL net
> score RCVD_IN_DSDNSBL 1.0
>
>
>
> Ok, as of tonight, anyone in the world can find out if an IP address
> should be sending you email claiming they are from my domain, and any
> domain in the world will be checked by me for the same thing. This
> isn't much, but it is a start.
>
>
> I suspect it would be about as much work to add this check to a
> sendmail.cf file, but about 10 years ago I decided that hacking on
> sendmail.cf files was less fun than pounding my fingers with a
> hammer. Someone who enjoys this kind of thing would need to do that.
>
> It shouldn't be hard to add this kind of check to any MTA that already
> supports DNSBLs, such as exim.
>
>
> Oh! Before anyone adds the above code to their SpamAssassin, that my
> copy of SA has fixes for the DNSBL checks. SA's DNSBL checks are
> pretty bogus because the check from the originating end of the receive
> chain, which of course can be completely faked. To the best of my
> knowledge, this is still broken in the just released 2.50 version.
>
>
> Anyway, consider this a "proof of concept". I welcome any comments or
> suggestions about it.
>
>
> -wayne
>
> _______________________________________________
> Asrg mailing list
> Asrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg