In <7695E2F6903F7A41961F8CF888D87EA809F01C37@red-msg-06.redmond.corp.microsoft.com> "Jonathan Wilkins" <jwilkins@microsoft.com> writes:

> The reason I've been so vocal about the RMX proposal is that
> I find it to be really objectionable since it requires a lot
> of effort from a lot of people for no particular gain.  It's 
> just another step in an arms race that has minimal long term
> benefits.

Well, I'm not certain what your definition of "a lot of effort" or "a
lot of people", but domain specific DNSBLs can be implemented very
easily.


Just for kicks, I've implemented a domain specific DNSBL for my
midwestcs.com domain.  To find out if the IP address is, in my
opinion, acceptable to send mail claiming to be from the midwestcs.com
domain, you need to use the smtp-out.midwestcs.com DNSBL.  That is, if
the IP address is w.x.y.z, you would query
z.y.x.w.smtp-out.midwestcs.com just like any other blacklist.  If it
returns 127.0.0.1, it should be rejected.  If the A record is not
found, it should be accepted.

I created this domain specific DNSBL by adding the following lines to
my zone file:

; default entry: reject
*.smtp-out      IN      A       127.0.0.1
; acceptable sending IP addresses
234.212.222.206.smtp-out        IN      CNAME   OK
237.212.222.206.smtp-out        IN      CNAME   OK
; just in case
OK      IN      TXT     OK


The next step is to use this black list.  Just because it was easy for
me, I hacked on SpamAssassin to check for domain specific DNSBLs.  I
did this by adding the following fuction to EvalTests.pm:

sub check_dsdnsbl {
  my ($self, $set) = @_;

  my $from = $self->get ('Reply-To:addr');
  if (!defined $from || $from !~ /\@\S+/) {
    $from = $self->get ('From:addr');
  }
  return 0 unless ($from =~ /\@(\S+)/);
  $from = $1;


  dbg ("checking domain specific DNSBL for $from", "rbl", -1);

  return check_rbl( $self, $set, "smtp-out.$from", 1 );
}


I also had to add the following to my local.cf file:

# check domain specific DNSBL
header RCVD_IN_DSDNSBL		rbleval:check_dsdnsbl('smtp-out')
describe RCVD_IN_DSDNSBL	Received via Domain Specific DNSBL of sender
tflags RCVD_IN_DSDNSBL          net
score RCVD_IN_DSDNSBL           1.0



Ok, as of tonight, anyone in the world can find out if an IP address
should be sending you email claiming they are from my domain, and any
domain in the world will be checked by me for the same thing.  This
isn't much, but it is a start.


I suspect it would be about as much work to add this check to a
sendmail.cf file, but about 10 years ago I decided that hacking on
sendmail.cf files was less fun than pounding my fingers with a
hammer.  Someone who enjoys this kind of thing would need to do that.

It shouldn't be hard to add this kind of check to any MTA that already
supports DNSBLs, such as exim.


Oh!  Before anyone adds the above code to their SpamAssassin, that my
copy of SA has fixes for the DNSBL checks.  SA's DNSBL checks are
pretty bogus because the check from the originating end of the receive
chain, which of course can be completely faked.  To the best of my
knowledge, this is still broken in the just released 2.50 version.


Anyway, consider this a "proof of concept".  I welcome any comments or
suggestions about it.


-wayne

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg