[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] 6. Proposals - RMX-like implementation via rDNS

Have a (or another) look at DRIP; it achieves most of what you're looking
for.

	http://www.ietf.org/internet-drafts/draft-brand-drip-01.txt


Raymond S Brand


waltdnes@waltdnes.org wrote:
> 
>   I'm not quite certain whether this should go in "6. Proposals" or
> "7. BCP".  It's a proposal that can be implemented by a change in
> current practices.  No re-writing of core software is required.  The
> idea is to allow MTA's to infer from IP addresses and/or rDNS, whether a
> particular IP address is authorized to send email.
> 
> Rationale
> =========
> 
>   Much of today's spam comes direct-to-MX via compromised home machines
> on dynamic IP addresses.  The dynamic nature of these IP addresses
> reduces the effectiveness of DNSbls of compromised machines.  The next
> step is to pre-emptively block email from *ALL* dynamic addresses.  The
> problem is that there are so many, that the zones get huge.  For
> instance, RoadRunner is reported to have 24 SMTP servers and 15,696 /24
> DHCP blocks.  Whitelisting the 24 SMTP servers, and blocking everything
> else with an rDNS ending in "rr.com" would be much easier than blocking
> 15,696 /24 DHCP blocks.  An associated problem is keeping track of ISPs'
> residential service address ranges as ISPs expand and get new blocks of
> IP addresses.
> 
> The proposal
> ============
> 
>   The proposal is that ISPs publish a list of their outbound email
> servers and any static IP address ranges that are authorized to send
> email direct-to-MX.  All other IP addresses within the ISP's domain
> would be assumed to be unauthorized to send email direct-to-MX.  The
> publishing could be on a web page.  The addresses could be either
> numeric, or rDNS patterns.  A real-life example is AOL.
> 
>   - Their dialup IP addresses have rDNS ending with ipt.aol.com
>   - AOL attempts (not always successfully) to intercept outbound SMTP
>     connections direct-to-remote-MX from its dialups and relay them via
>     servers with rly-ipXX.mx.aol.com, where XX is a number from 00 to 99.
>   - Email sent from dialups via "official channels" (i.e. AOL's email
>     gateways) goes out via servers with rDNS ending imo-rXX.mx.aol.com.
> 
>   Thus, rejecting *.ipt.aol.com and rly-ip[0-9][0-9].mx.aol.com is
> sufficient to block unauthorized senders using AOL's dialups.  If your
> MTA's pattern-matching isn't that flexible, you can hardcode in the
> following rDNS or IP addresses...
> 
> rly-ip01.mx.aol.com has address 205.188.156.49
> rly-ip02.mx.aol.com has address 152.163.225.160
> rly-ip03.mx.aol.com has address 64.12.138.7
> rly-ip04.mx.aol.com has address 64.12.138.8
> rly-ip05.mx.aol.com has address 64.12.138.9
> rly-ip06.mx.aol.com has address 205.188.156.51
> 
>   That, plus *.ipt.aol.com, gives a grand total of 7 rDNS patterns to
> block.  This is much easier to handle than a DNSbl zone of dialups.
> 
>   To get an up-to-date list of rly-ipXX.mx.aol.com machines, run the
> following script...
> 
> #!/bin/bash
> i=0
> while [ ${i} -lt 10 ]
> do
>   j=0
>   while [ ${j} -lt 10 ]
>   do
>     host rly-ip${i}${j}.mx.aol.com | grep -v "not found:"
>     j=$(( $j + 1 ))
>   done
>   i=$(( $i + 1 ))
> done
> 
> Advantages
> ==========
> 
>   1) This proposal does *NOT* require new types of DNS records or other
> protocols.  It can be implemented within the existing structure.  AOL
> already does this, an example that it can be done.
> 
>   2) Lists of authorized sending addresses/rDNS-patterns will generally
> be much smaller than lists of residential IP addresses.

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg