what happens when you put a typo in a DNSBL server?
A number of ISPs use njabl.org as a DNS BL server. However, starting jan 2 a new domain exists "njalb.org" which is serving A records for anything queried against it's DNS server. (note the difference: njaBL vs njaLB). Previous to this date a misconfigured ISP was just not being protected by the BL. Now, it's potentially dropping all mail from anyone because of the typo. # dig +short mail.merit.edu a 198.108.1.11 # dig +short 11.1.108.198.combined.njabl.org # dig +short 11.1.108.198.combined.njalb.org 64.20.43.107 66.45.232.66 66.45.232.75 66.45.237.187 I know of at least one ISP that is likely dropping mail from everyone... -- "In the bathtub of history the truth is harder to hold than the soap, and much more difficult to find." -- Terry Pratchett
Let's all hope they don't think of the possibilities *too* quickly. On 1/16/07, Wes Hardaker <wjhns61@hardakers.net> wrote:
A number of ISPs use njabl.org as a DNS BL server. However, starting jan 2 a new domain exists "njalb.org" which is serving A records for anything queried against it's DNS server. (note the difference: njaBL vs njaLB). Previous to this date a misconfigured ISP was just not being protected by the BL. Now, it's potentially dropping all mail from anyone because of the typo.
# dig +short mail.merit.edu a 198.108.1.11
# dig +short 11.1.108.198.combined.njabl.org
# dig +short 11.1.108.198.combined.njalb.org 64.20.43.107 66.45.232.66 66.45.232.75 66.45.237.187
I know of at least one ISP that is likely dropping mail from everyone... -- "In the bathtub of history the truth is harder to hold than the soap, and much more difficult to find." -- Terry Pratchett
Previous to this date a misconfigured ISP was just not being protected by the BL. Now, it's potentially dropping all mail from anyone because of the typo.
If only. I am constantly amazed at the bozos who misconfigure their DNSBL lookups and don't notice. Many people are just sure that abuse.net is a blacklist, and no matter what I do (try looking up 2.0.0.127.abuse.net) they keep hammering on it. I also see lookups to names with http// in them and just about any other idiotic mistake you can imagine, again no set of responses seems to get their attention. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor "More Wiener schnitzel, please", said Tom, revealingly.
"JL" == John Levine <johnl@iecc.com> writes:
Previous to this date a misconfigured ISP was just not being protected by the BL. Now, it's potentially dropping all mail from anyone because of the typo.
JL> If only. I am constantly amazed at the bozos who misconfigure their JL> DNSBL lookups and don't notice. Part of the problem is that the protocol is designed to overlay an existing protocol without providing a valid positive response. In this case, lame ISP configures a typo and goes for ages without noticing that it didn't help them at all because every query was getting a NXDOMAIN back and they didn't check the traffic. Had this been a real protocol you would have gotten back a 404 like message instead! Shoe-horning DNS (or any protocol) into a solution works well only if you don't make mistakes. And we know that never happens. In the end, you don't get error messages when you misconfigure a DNSBL. That's an architectural issue with how DNSBLs work in the first place. -- "In the bathtub of history the truth is harder to hold than the soap, and much more difficult to find." -- Terry Pratchett
JL> If only. I am constantly amazed at the bozos who misconfigure their JL> DNSBL lookups and don't notice.
Part of the problem is that the protocol is designed to overlay an existing protocol without providing a valid positive response. In this case, lame ISP configures a typo and goes for ages without noticing that it didn't help them at all because every query was getting a NXDOMAIN back
Uh, not quite. Try looking up 2.0.0.127.abuse.net, and then explain to me why people keep hammering on it. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://johnlevine.com, Mayor "I dropped the toothpaste", said Tom, crestfallenly.
On Tue, 16 Jan 2007, John L wrote:
Uh, not quite. Try looking up 2.0.0.127.abuse.net, and then explain to me why people keep hammering on it.
*cough* 2.0.0.127.abuse.net has address 127.255.255.255 Very cute. :) I think this is a PEBKAC** situation, not an architectural issue. --Steve ** P)roblem E)xists B)etween K)eyboard A)nd C)hair, in this case the KAC of the person who isn't checking that he's configured the right hostname for the DNSBL. -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Victorville, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
On Tue, 16 Jan 2007, Wes Hardaker wrote:
A number of ISPs use njabl.org as a DNS BL server. However, starting jan 2 a new domain exists "njalb.org" which is serving A records for anything queried against it's DNS server. (note the difference: njaBL vs njaLB). Previous to this date a misconfigured ISP was just not being protected by the BL. Now, it's potentially dropping all mail from anyone because of the typo.
# dig +short mail.merit.edu a 198.108.1.11
# dig +short 11.1.108.198.combined.njabl.org
# dig +short 11.1.108.198.combined.njalb.org 64.20.43.107 66.45.232.66 66.45.232.75 66.45.237.187
right, these are those pesky njiix.net 'dns servers' that send the same 4 A's for any request. I suspect their zone config is: * IN A 64.20.43.107 IN A 66.45.232.66 IN A 66.45.232.75 IN A 66.45.237.187 in the root.zone file :(
On 16 Jan 2007, at 17:36, Wes Hardaker wrote:
A number of ISPs use njabl.org as a DNS BL server. However, starting jan 2 a new domain exists "njalb.org" which is serving A records for anything queried against it's DNS server.
This is a common problem affecting Spamhaus and others as well; domain squatters register every variation of our domains and place wildcard DNS on them. We get quite a few complaints from users that we're blocking them and when investigated we find some postmaster has fat-fingered an entry in his spam filter and instead of "spamhaus.org" has entered a domain squatter's variation, such as one of these: ;; Query: 1.2.3.4.spamhuas.org ,type = ANY , class = ANY ^^ ;; ANSWERS: 1.2.3.4.spamhuas.org 3600 IN A 64.20.49.210 1.2.3.4.spamhuas.org 3600 IN A 64.20.33.115 1.2.3.4.spamhuas.org 3600 IN A 64.20.33.131 1.2.3.4.spamhuas.org 3600 IN A 64.20.33.4 ;; Query: 1.2.3.4.spamhauz.org ,type = ANY , class = ANY ^ ;; ANSWERS: 1.2.3.4.spamhauz.org 3600 IN A 64.20.33.131 1.2.3.4.spamhauz.org 3600 IN A 64.20.49.210 1.2.3.4.spamhauz.org 3600 IN A 64.20.33.4 1.2.3.4.spamhauz.org 3600 IN A 64.20.33.115 Steve Linford The Spamhaus Project http://www.spamhaus.org
On Jan 16, 2007, at 8:36 AM, Wes Hardaker wrote:
A number of ISPs use njabl.org as a DNS BL server. However, starting jan 2 a new domain exists "njalb.org" which is serving A records for anything queried against it's DNS server. (note the difference: njaBL vs njaLB). Previous to this date a misconfigured ISP was just not being protected by the BL. Now, it's potentially dropping all mail from anyone because of the typo.
If you screw up your mail configuration, you'll lose email. I'm more concerned about the deluge of DNS queries caused by people who randomly punch strings into their mailfilters and cause quite a lot of traffic to third party DNS servers. When I see people doing that to my DNS servers, I add a wildcard record in the hope that they'll notice. The worst case is when they're hitting the (non-existent) blacklist just to get a value to feed into something like spamassassin that will proceed to deliver the mail anyway. There are de-facto standards that will prevent all this happening, but the writers of spam filters are (as far as I know, without exception) too stupid or too lazy to take advantage of this. Cheers, Steve
participants (8)
-
Alexander Harrowell -
Chris L. Morrow -
John L -
John Levine
-
Steve Atkins -
Steve Linford -
Steve Sobol -
Wes Hardaker