funsec mailing list archives
Re: Why spam blacklisting isn't going to work anymore ...
From: Paul Vixie <vixie () vix com>
Date: Sat, 16 Apr 2011 04:49:02 +0000
tomb () byrneit net ("Tomas L. Byrnes") writes:
The real issue isn't that you can't block an entire CIDR, but that the current DNSBL query methods compare with the full IP, which means that caching becomes useless, since the /56 that a given user gets can be cycled through randomly with more than the 2^40 times the current Internet worth of AAAA RRs. Sure, you can have the entire CIDR in your DNSBL, but you can't use that DNSBL, using current methods, effectively, since you have to reverse, query, and wait for each source IP. You need to preload, and use an alternate query method. RFC 3123 is a good start for such a method. It's part of how we do this in ThreatSTOP.
i disagree for three reasons. first, i suggest that we'll have to blackhole by /64 most of the time anyway since the lower 64 bits of an IP address are assignable by the malware. doing it on the /56 (or /48) will be an adaptive thing based on density and can be automated. second, we'll be wildcarding this in the authority servers to keep the zone to a manageable size, and using very short DNS TTL's in order that the recursive server's cache won't explode when rapid readdressing occurs. (any rdns cache without background expiration will die hard and often.) third, smtp responders already have to do a DNS query per inbound message, there's no new DNS transaction load due to ipv6's new vulnerabilities vs. ipv4. i agree for a reason not mentioned yet. blackholing by source IP hasn't worked for years since so much spam is mixed in with non-spam from addresses like the gmail and hotmail and aol servers which for business reasons noone is comfortable blackholing. the spammers won this round in 2002 or so. also, the absence of a PTR RR or its presence having a specific pattern is a better input to the filter than the recent reputation of the ip address. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 13)
- Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 14)
- Re: Why spam blacklisting isn't going to work anymore ... der Mouse (Apr 14)
- Re: Why spam blacklisting isn't going to work anymore ... Paul Vixie (Apr 15)
- Re: Why spam blacklisting isn't going to work anymore ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 15)
- Re: Why spam blacklisting isn't going to work anymore ... der Mouse (Apr 16)
- Re: Why spam blacklisting isn't going to work anymore ... Paul Vixie (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... der Mouse (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... Paul Vixie (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... Larry Seltzer (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 18)
- Re: Why spam blacklisting isn't going to work anymore ... Rich Kulawiec (Apr 19)