[RPZ] fun with dns rpz

Jeff Chan jeffc at surbl.org
Tue Nov 22 10:56:28 UTC 2011 

On Monday, November 21, 2011, 11:27:40 PM, Paul Vixie wrote:
> tonight i was spammed as i often am, through an open relay which happens
> a lot. the payload was a love letter from a no-doubt beautiful russian
> woman who fell in love with me as soon as she saw my picture (which is
> the point at which i knew it was spam). out of curiousity i clicked on
> the link and got an MSIE "cannot display the webpage". out of even
> greater curiousity i ran a "dig" and found that surbl and spamhaus were
> both on the job.

> this dns firewalling stuff looks like a win. when we get a large number
> of subscribers and a moderate number of publishers, spammers will
> experience DNS RPZ as "sudden mysterious death from the sky." i like it.

> here it is through an rpz-speaking recursive name server that subscribes
> to surbl first, then spamhaus, both of whom had this domain mapped to
> "synthetic nxdomain". below that a "+trace" shows that the domain is
> still live in .ru (though the .ru folks are getting better and faster at
> takedowns, so it may not still be there by the time you read this.)

> re:

> ; <<>> DiG 9.9.0b2 <<>> dateritmi.ru a
> ;; global options: +cmd
> ;; Got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11775
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;dateritmi.ru.                  IN      A

> ;; AUTHORITY SECTION:
> rpz.surbl.org.          180     IN      SOA     dev.null.
> zone.surbl.org. 1321945813 180 180 604800 180

> ;; Query time: 369 msec
> ;; SERVER: 2001:4f8:3:30::3#53(2001:4f8:3:30::3)
> ;; WHEN: Tue Nov 22 07:12:21 2011
> ;; MSG SIZE  rcvd: 103

> vs.

>

> dateritmi.ru.           345600  IN      NS      ns1.reg.ru.
> dateritmi.ru.           345600  IN      NS      ns2.reg.ru.
> ;; Received 113 bytes from 193.232.156.17#53(193.232.156.17) in 1045 ms

> dateritmi.ru.           43200   IN      A       31.210.103.8
> ;; Received 46 bytes from 178.218.208.130#53(178.218.208.130) in 193 ms


SURBL has 111 related, similar domains blacklisted.  I tried to
send them to the list, but SpamAssassin apparently is being
applied to list messages.  Makes it hard to discuss badness.

Cheers,

Jeff C.
-- 
Jeff Chan
mailto:jeffc at surbl.org
http://www.surbl.org/

More information about the DNSfirewalls mailing list