funsec mailing list archives

Re: Why spam blacklisting isn't going to work anymore ...

From: Paul Vixie <vixie () vix com>
Date: Sat, 16 Apr 2011 04:49:02 +0000

tomb () byrneit net ("Tomas L. Byrnes") writes:

The real issue isn't that you can't block an entire CIDR, but that the
current DNSBL query methods compare with the full IP, which means that
caching becomes useless, since the /56 that a given user gets can be
cycled through randomly with more than the 2^40 times the current
Internet worth of AAAA RRs.

Sure, you can have the entire CIDR in your DNSBL, but you can't use that
DNSBL, using current methods, effectively, since you have to reverse,
query, and wait for each source IP.

You need to preload, and use an alternate query method. RFC 3123 is a
good start for such a method. It's part of how we do this in ThreatSTOP.


i disagree for three reasons.

first, i suggest that we'll have to blackhole by /64 most of the time
anyway since the lower 64 bits of an IP address are assignable by the
malware.  doing it on the /56 (or /48) will be an adaptive thing based on
density and can be automated.

second, we'll be wildcarding this in the authority servers to keep the zone
to a manageable size, and using very short DNS TTL's in order that the
recursive server's cache won't explode when rapid readdressing occurs.
(any rdns cache without background expiration will die hard and often.)

third, smtp responders already have to do a DNS query per inbound message,
there's no new DNS transaction load due to ipv6's new vulnerabilities
vs. ipv4.

i agree for a reason not mentioned yet.  blackholing by source IP hasn't
worked for years since so much spam is mixed in with non-spam from addresses
like the gmail and hotmail and aol servers which for business reasons noone
is comfortable blackholing.  the spammers won this round in 2002 or so.

also, the absence of a PTR RR or its presence having a specific pattern is
a better input to the filter than the recent reputation of the ip address.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 13)
- Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 14)
- Re: Why spam blacklisting isn't going to work anymore ... der Mouse (Apr 14)
- Re: Why spam blacklisting isn't going to work anymore ... Paul Vixie (Apr 15)
  - Re: Why spam blacklisting isn't going to work anymore ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 15)
  - Re: Why spam blacklisting isn't going to work anymore ... der Mouse (Apr 16)
    - Re: Why spam blacklisting isn't going to work anymore ... Paul Vixie (Apr 17)
  - Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 17)
    - Re: Why spam blacklisting isn't going to work anymore ... der Mouse (Apr 17)
    - Re: Why spam blacklisting isn't going to work anymore ... Paul Vixie (Apr 17)
    - Re: Why spam blacklisting isn't going to work anymore ... Larry Seltzer (Apr 17)
    - Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 18)
    - Re: Why spam blacklisting isn't going to work anymore ... Rich Kulawiec (Apr 19)