[RPZ] thank you spamhaus and surbl rpz!

Paul Vixie vixie at isc.org
Thu Aug 30 02:09:55 UTC 2012 

i'm not going to show you the spam that's on my screen right now, since
a lot of you have upstream filtering and would end up not hearing the
rest of what i'm about to say. it's got a bunch of asian glyphs, some in
yellow and pink. it says "free pass ticket". a scantily clad young human
female smiles at me from a photo.

the photo is a clickable URL (http bowebpy.iko.chikienyelllow.net ...)
which is unresolvable here because of the spamhaus rpz:

> ; <<>> DiG 9.9.1-P1 <<>> bowebpy.iko.chikienyelllow.net a
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64735
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;bowebpy.iko.chikienyelllow.net.        IN      A
>
> ;; AUTHORITY SECTION:
> rpz.spamhaus.org.       60      IN      SOA     need.to.know.only.
> hostmaster.spamhaus.org. 1346286361 120 120 432000 60
>
> ;; Query time: 2 msec
> ;; SERVER: 2001:559:8000:cb::2#53(2001:559:8000:cb::2)
> ;; WHEN: Thu Aug 30 00:29:53 2012
> ;; MSG SIZE  rcvd: 139

alas, it was sent to a public contact address on a public mail server
which by policy cannot filter spam. at home i've got postfix set up to
reject e-mail that has unresolvable domain names in the SMTP envelope or
RFC822 headers. that sender (info dg.xixipyurgsyq.com) is caught by
SURBL here:

> ; <<>> DiG 9.9.1-P1 <<>> dg.xixipyurgsyq.com mx
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27992
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;dg.xixipyurgsyq.com.           IN      MX
>
> ;; AUTHORITY SECTION:
> rpz.surbl.org.          180     IN      SOA     dev.null.
> zone.surbl.org. 1346286795 180 180 604800 180
>
> ;; Query time: 259 msec
> ;; SERVER: 2001:559:8000:cb::2#53(2001:559:8000:cb::2)
> ;; WHEN: Thu Aug 30 00:35:04 2012
> ;; MSG SIZE  rcvd: 110

this is cool stuff.

now i need to teach my smtp server to scan bodies for domain names and
urls, so that if any of them don't resolve, i can bounce the mail. doing
it for envelope and headers is only part of the problem.

paul

More information about the DNSfirewalls mailing list