[RPZ] fun with dns rpz
jeffc at surbl.org
Tue Nov 22 10:56:28 UTC 2011
On Monday, November 21, 2011, 11:27:40 PM, Paul Vixie wrote:
> tonight i was spammed as i often am, through an open relay which happens
> a lot. the payload was a love letter from a no-doubt beautiful russian
> woman who fell in love with me as soon as she saw my picture (which is
> the point at which i knew it was spam). out of curiousity i clicked on
> the link and got an MSIE "cannot display the webpage". out of even
> greater curiousity i ran a "dig" and found that surbl and spamhaus were
> both on the job.
> this dns firewalling stuff looks like a win. when we get a large number
> of subscribers and a moderate number of publishers, spammers will
> experience DNS RPZ as "sudden mysterious death from the sky." i like it.
> here it is through an rpz-speaking recursive name server that subscribes
> to surbl first, then spamhaus, both of whom had this domain mapped to
> "synthetic nxdomain". below that a "+trace" shows that the domain is
> still live in .ru (though the .ru folks are getting better and faster at
> takedowns, so it may not still be there by the time you read this.)
> ; <<>> DiG 9.9.0b2 <<>> dateritmi.ru a
> ;; global options: +cmd
> ;; Got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11775
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;dateritmi.ru. IN A
> ;; AUTHORITY SECTION:
> rpz.surbl.org. 180 IN SOA dev.null.
> zone.surbl.org. 1321945813 180 180 604800 180
> ;; Query time: 369 msec
> ;; SERVER: 2001:4f8:3:30::3#53(2001:4f8:3:30::3)
> ;; WHEN: Tue Nov 22 07:12:21 2011
> ;; MSG SIZE rcvd: 103
> dateritmi.ru. 345600 IN NS ns1.reg.ru.
> dateritmi.ru. 345600 IN NS ns2.reg.ru.
> ;; Received 113 bytes from 184.108.40.206#53(220.127.116.11) in 1045 ms
> dateritmi.ru. 43200 IN A 18.104.22.168
> ;; Received 46 bytes from 22.214.171.124#53(126.96.36.199) in 193 ms
SURBL has 111 related, similar domains blacklisted. I tried to
send them to the list, but SpamAssassin apparently is being
applied to list messages. Makes it hard to discuss badness.
mailto:jeffc at surbl.org
More information about the DNSfirewalls