[Asrg] MTX, a distributed DNS whitelist requiring IP and domain ownership
Darxus@ChaosReigns.com Mon, 15 February 2010 18:36 UTC
Return-Path: <darxus@chaosreigns.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2464B28C268 for <asrg@core3.amsl.com>; Mon, 15 Feb 2010 10:36:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.329
X-Spam-Level:
X-Spam-Status: No, score=-9.329 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AbetWAGAzge0 for <asrg@core3.amsl.com>; Mon, 15 Feb 2010 10:36:38 -0800 (PST)
Received: from panic.chaosreigns.com (panic.chaosreigns.com [64.71.152.40]) by core3.amsl.com (Postfix) with ESMTP id ED7CE3A7325 for <asrg@irtf.org>; Mon, 15 Feb 2010 10:36:38 -0800 (PST)
Received: by panic.chaosreigns.com (Postfix, from userid 1000) id 7A3B0AC80C; Mon, 15 Feb 2010 13:38:10 -0500 (EST)
Date: Mon, 15 Feb 2010 13:38:10 -0500
From: Darxus@ChaosReigns.com
To: asrg@irtf.org
Message-ID: <20100215183810.GS27977@chaosreigns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
Subject: [Asrg] MTX, a distributed DNS whitelist requiring IP and domain ownership
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 18:36:40 -0000
http://www.chaosreigns.com/mtx/ It is implemented as a SpamAssassin plugin (except for Policy records). I believe it is the only MARID (DNS whitelist) that requires ownership of both the sending IP (PTR record delegation) and an associated domain (that contained in the value of the PTR record of the delivering IP). Also, it doesn't break current forwarding implementations as SPF does, because it does not imply that the email is coming from the associated domain, merely being authorized by it. It was largely inspired by this barrier to adoption of SPF. Basically the entire thing is: 1) Receive an email from IP. 2) Get host name from PTR record value for IP. 3) Get value of A record named IPReversed.mtx.HostName. 4) If the value is 127.*.*.1: Pass. Otherwise: Fail. Blacklisting, of course, is required. I believe maintaining a blacklist of (non-throwaway) spammer domains using MTX (against the sending IP's PTR record), and possibly IP's which spam with MTX, will be significantly easier than maintaining current IP blacklists. I believe the more this is adopted, the more spammers will be required to own the transmitting IP *and* a throwaway domain. And I think if we pin them down that far, ability to focus on the throwaway domains and IPs used with MTX will make those problems more manageable. Yesterday I added Policy records to indicate level of participation per domain, very similar to SPF's ?ALL / ~ALL / -ALL, meaning Neutral / SoftFail / Fail. This will allow more rejection of IPs without MTX records from participating domains in the short term, and if MTX ever becomes sufficiently wide spread, the Policy records can be ignored, and all email that doesn't pass MTX can be rejected. MTX's HardFail is equivalent to SPF's Fail. MTX's Fail includes all of Neutral, SoftFail, and HardFail, and None which is equivalent to Neutral. An MTX record can also contain the value 127.*.*.0 to indicate a HardFail. Example possible SpamAssassin scores for these values, now: MTX_PASS -4 MTX_FAIL 0 MTX_NEUTRAL 0 MTX_SOFTFAIL 1 MTX_HARDFAIL 100 I hope that MTX_FAIL can be gradually increased as MTX is adopted. MTX_NEUTRAL, MTX_SOFTFAIL ,and MTX_HARDFAIL should be used as a group, only when MTX_FAIL is not used (since it contains them). The blacklist implementation associates a SpamAssassin score with each blacklisted domain, so, for example, a pure spammer domain: MTX_BLACKLIST *.example.com 100 Or a legitimate domain which has a problem controlling its spam emission, only countering the benefits of MTX_PASS: MTX_BLACKLIST *.example.com 4 Should I use "mtx" or "_mtx" in the "A" record names? _mtx appears to be in compliance with RFC, but bind's default configuration appears to be in violation, rejecting records with underscores. I am concerned that the underscore might be a problematic barrier to adoption because of similar default behaviors. Should I change the name of "policy" records to something else? How can I make this better? How can I get people to use it? I would also appreciate testing / feedback for the implementation. -- "It is better to die on your feet than to live on your knees." - Emiliano Zapata, Mexican Revolution Leader http://www.ChaosReigns.com
- Re: [Asrg] MTX, a distributed DNS whitelist requi… Rich Kulawiec
- [Asrg] MTX, a distributed DNS whitelist requiring… Darxus
- Re: [Asrg] MTX, a distributed DNS whitelist requi… Franck Martin
- Re: [Asrg] MTX, a distributed DNS whitelist requi… SM
- Re: [Asrg] MTX, a distributed DNS whitelist requi… Alessandro Vesely