[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new

To: jamie rishaw <jamie@xxxxxxxx>
Subject: Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
From: Joshua Levitsky <jlevitsk@xxxxxxxxxx>
Date: Wed, 17 Sep 2003 14:41:13 -0400

On Sep 17, 2003, at 5:37 AM, jamie rishaw wrote:

Please proviede code / config (explain).

On Wed, Sep 17, 2003 at 12:42:19AM -0400, Joshua Levitsky wrote:
On Sep 16, 2003, at 11:16 PM, Thor Larholm wrote:
Mail administrators
who use any non-existant DNSBL to mark email as spam suddenly has all
their mails deleted,
Actually I figured out how to use it to my advantage. I query "." which is my own DNS server of course as a ip4r blacklist and if the IP for verisign's site is returned then I give the spam a very high score. Any domain that doesn't exist would fail this, but any other domain would not return that IP, but rather the proper IP. I'm still pissed at Verisign, but I always try to turn a problem in to an opportunity so now I'm using their greed to block spam.

I use Declude which is a plugin to IPSwitch's IMail product.

VERISCAM rhsbl . 64.94.110.11 1 0

Above is the config line I am using. Basically "VERISCAM" is the name of my test. It's a "rhsbl" test which is a Right Hand Side test. Your Spam filter software needs to be able to RHS style lookups where it's looking at what is to the right of the @ sign. So jlevitsk@xxxxxxxxxx could come from an AOL mail server, but my RHS test looks at joshie.com rather than the AOL server that handed the mail to your server. The next field is "." which is normally where I put like "orbs.dorkslayers.com" or such... the zone that I'm going to query. By putting a "." in then it is checking my local zone and so the query hits my own DNS. That's just where the query goes. "64.94.110.11" is the result I'm looking for from the server. Various ip4r tests result in like 127.0.0.2 or 127.0.0.3 and different values normally mean different kinds of listings like open relay vs. porn spam ... you get the idea. In this case a 64.94.110.11 would return from my own DNS server for any @bla.com that did not resolve.

This test catches anyone using phoney domains that don't exist.

-Josh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
  - From: Michael Scheidell

References:
- [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
  - From: Thor Larholm
- Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
  - From: Joshua Levitsky
- Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
  - From: jamie rishaw

Prev by Date: Re: [Full-Disclosure] Lun_mountd.c vs mounty.c
Next by Date: Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
Previous by thread: Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
Next by thread: Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
Index(es):
- Date
- Thread