IETF Logo Mail Archive

Re: [Asrg] RFC 6471 and "listing the Internet" as a punishment

"Emanuele Balla (aka Skull)" <skull@bofhland.org> Tue, 24 January 2012 15:52 UTC

Return-Path: <skull@bofhland.org>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F158B21F84DD for <asrg@ietfa.amsl.com>; Tue, 24 Jan 2012 07:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fLuYEU4x413Q for <asrg@ietfa.amsl.com>; Tue, 24 Jan 2012 07:52:48 -0800 (PST)
Received: from mithrandir.bofhland.org (mithrandir.bofhland.org [IPv6:2a02:9a8:94::b]) by ietfa.amsl.com (Postfix) with ESMTP id 21F0B21F84BD for <asrg@irtf.org>; Tue, 24 Jan 2012 07:52:48 -0800 (PST)
Received: from zarathustra.local (zarathustra.spin.it [147.123.15.60]) by mithrandir.bofhland.org (Postfix) with ESMTPSA id 9947C6C21A for <asrg@irtf.org>; Tue, 24 Jan 2012 16:52:46 +0100 (CET)
Message-ID: <4F1ED3CA.5040200@bofhland.org>
Date: Tue, 24 Jan 2012 16:52:42 +0100
From: "Emanuele Balla (aka Skull)" <skull@bofhland.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <18B53BA2A483AD45962AAD1397BE13253846E0FE87@UK-EXCHMBX1.green.sophos> <4F1ECBE4.1050802@bofhland.org> <20120124153531.GA8414@gsp.org>
In-Reply-To: <20120124153531.GA8414@gsp.org>
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Subject: Re: [Asrg] RFC 6471 and "listing the Internet" as a punishment
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 15:52:49 -0000

On 1/24/12 4:35 PM, Rich Kulawiec wrote:
> On Tue, Jan 24, 2012 at 04:19:00PM +0100, Emanuele Balla (aka Skull) wrote:
>> and again, in point 3.5:
>>
>> ?  A functioning DNSBL MUST NOT list 127.0.0.1.  There are a number of
>>    mail server implementations that do not cope with this well, and many
>>    will use a positive response for 127.0.0.1 as an indication that the
>>    DNSBL is shut down and listing the entire Internet.?
>>
>> That is not clearly against "listing everything as a punishment", but
>> means uribl.com is technically "non-functional"... ;-)
> 
> I may well be misreading this report AND the RFC (coffee level: alarmingly
> low) but it appears to me that this DNSBL is not listing "127.0.0.1",
> but is returning 127.0.0.1 in response to queries for "example.com"
> (and all other domains) when those queries are issued from certain hosts.
> (And I presume those hosts are the set which have issued excessive
> and/or unwelcome queries in the opinions of the DNSBL's operators.)

You (and David) are absolutely right: I simply messed up the whole
point. ;-)


The only point that directly applies, here, is IMHO 3.3:

«
3.3.  DNSBLs SHOULD Provide Operational Flags

   Most IP address-based DNSBLs follow a convention of query entries for
   IP addresses in 127.0.0.0/8 (127.0.0.0-127.255.255.255) to provide
   online indication of whether the DNSBL is operational.  Many, if not
   most, DNSBLs arrange to have a query of 127.0.0.2 return an A record
   (usually 127.0.0.2) indicating that the IP address is listed.  This
   appears to be a de facto standard indicating that the DNSBL is
   operating correctly.  See [RFC5782] for more details on DNSBL test
   entries.

   If this indicator is missing (query of 127.0.0.2 returns NXDOMAIN),
   or any query returns an A record outside of 127.0.0.0/8, the DNSBL
   should be considered non-functional.
»

Somehow, this seems to allow URIBL to do what it does: they state that
returning 127.0.0.1 means you're an undesired client and you have the
chance to trap that flag (with the right software, at least)...


On the other side, there's point 3.4:

«
   The DNSBL operator MUST issue impending shutdown warnings (on the
   DNSBL web site, appropriate mailing lists, newsgroups, vendor
   newsletters, etc.), and indicate that the DNSBL is inoperative using
   the signaling given in Section 3.3.
[...]

   The shutdown procedure should have the following properties:

   1.  MUST NOT list the entire Internet
»


One could argue they're not shutting down (just listing the Internet
:-D) so the point does not apply, but IMHO the underlying concept is.

After all, they're trying to force the offending customers to change
their configurations, just as during shutdowns...


-- 
Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.
-----------------------------------------------------------------------------
http://bofhskull.wordpress.com/

v2.8.7 | Report a Bug | By Email