spamassassin-dev December 2011 archive
Main Archive Page > Month Archives  > spamassassin-dev archives
spamassassin-dev: [Bug 6724] New: DNS Blacklistsreturning purpos

[Bug 6724] New: DNS Blacklistsreturning purposefully wrong answers as part of Anti-Abuse / Free for Some Policies

From: <bugzilla-daemon_at_nospam>
Date: Tue Dec 13 2011 - 14:33:24 GMT
To: dev@spamassassin.apache.org

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6724

             Bug #: 6724
           Summary: DNS Blacklistsreturning purposefully wrong answers as
                    part of Anti-Abuse / Free for Some Policies
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Platform: PC
        OS/Version: Windows 7
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Rules
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: kmcgrail@pccc.com
    Classification: Unclassified

Bug 6668 referenced a policy in URIBL that will return purposefully wrong
answers. Therefore, this ticket is open to clarify the policy on use of BLs in
SA by default that might purposefully respond with wrong answers.

For URIBL, the define this policy: http://uribl.com/about.shtml#abuse

"BLOCKED - POSITIVE RESPONSE ACL

  # host -tA 2.0.0.127.multi.uribl.com
  2.0.0.127.multi.uribl.com has address 127.0.0.255

  # host -tTXT 2.0.0.127.multi.uribl.com
  2.0.0.127.multi.uribl.com descriptive text "1.2.3.4 has been block due to
excessive queries."

  * Positive ACLs will only be used for extreme cases."

This policy is similar to DNSWL's that led to disabling DNSWL by default
recently as discussed beginning in October when they started implementing the
policy.

Abuse is a reality of running a DNS-based BL and needing to block resources
from hogs makes administrative sense.

However, if this policy is implemented at URIBL to purposefully give wrong
answers, URIBL needs to also be considered for disabling by default.

1 - Are any other BLs doing this that are supported by SA by default?

2 - What is a policy that SA can support to protect the Nameservers from Abuse.

I propose only the following two solutions:

1 - Block/do not respond to queries so that no rules misfire purposefully.
This is the current policy.

2 - For DNS blacklists using a multi/combined lists, a rule for an octet that
is a blocked answer could be implemented with a simple rule.

- The must return only the bit for the block with no bits that provide
purposefully wrong answers.

- The score on the rule that acknowledges a block should be minimal i.e. 0.001

- The message on the rule would have to link to a generic page on SA's wiki
regarding "free for some" services and would be uniform for all BLs. It will
specifically NOT lead to a subscription page for a vendor as SA is not an
advertising service.

This solution could be implemented in current SA releases with a rules update

The bad part is that this answer doesn't appear to achieve much because it
still responds to each query but apparently it might lower traffic from
retries. Hopefully, they can also give a high TTL on the blocked query answer
so caching is more effective.

-- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.