On 1/24/12 4:29 PM, David Romerstein wrote:
> On 1/24/12 10:19 AM, Emanuele Balla (aka Skull) wrote:
>> In truth there's
>> in point 3.3:
>>
>> « Note: In Section 3.4, it is noted that some DNSBLs have shut down in
>> such a way to list all of the Internet. Further, in Section 3.5,
>> DNSBL operators MUST NOT list 127.0.0.1. Therefore, a positive
>> listing for 127.0.0.1 SHOULD indicate that the DNSBL has started
>> listing the world and is non-functional. »
>>
>> and again, in point 3.5:
>>
>> « A functioning DNSBL MUST NOT list 127.0.0.1. There are a number of
>> mail server implementations that do not cope with this well, and many
>> will use a positive response for 127.0.0.1 as an indication that the
>> DNSBL is shut down and listing the entire Internet.»
>
> "Listing 127.0.0.1" is not the same as "returning 127.0.0.1".

Damm. FAIL. :-D


--
Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.
-----------------------------------------------------------------------------
http://bofhskull.wordpress.com/

On 1/24/12 4:35 PM, Rich Kulawiec wrote:
> On Tue, Jan 24, 2012 at 04:19:00PM +0100, Emanuele Balla (aka Skull) wrote:
>> and again, in point 3.5:
>>
>> ? A functioning DNSBL MUST NOT list 127.0.0.1. There are a number of
>> mail server implementations that do not cope with this well, and many
>> will use a positive response for 127.0.0.1 as an indication that the
>> DNSBL is shut down and listing the entire Internet.?
>>
>> That is not clearly against "listing everything as a punishment", but
>> means uribl.com is technically "non-functional"... ;-)
>
> I may well be misreading this report AND the RFC (coffee level: alarmingly
> low) but it appears to me that this DNSBL is not listing "127.0.0.1",
> but is returning 127.0.0.1 in response to queries for "example.com"
> (and all other domains) when those queries are issued from certain hosts.
> (And I presume those hosts are the set which have issued excessive
> and/or unwelcome queries in the opinions of the DNSBL's operators.)

You (and David) are absolutely right: I simply messed up the whole
point. ;-)


The only point that directly applies, here, is IMHO 3.3:

«
3.3. DNSBLs SHOULD Provide Operational Flags

Most IP address-based DNSBLs follow a convention of query entries for
IP addresses in 127.0.0.0/8 (127.0.0.0-127.255.255.255) to provide
online indication of whether the DNSBL is operational. Many, if not
most, DNSBLs arrange to have a query of 127.0.0.2 return an A record
(usually 127.0.0.2) indicating that the IP address is listed. This
appears to be a de facto standard indicating that the DNSBL is
operating correctly. See [RFC5782] for more details on DNSBL test
entries.

If this indicator is missing (query of 127.0.0.2 returns NXDOMAIN),
or any query returns an A record outside of 127.0.0.0/8, the DNSBL
should be considered non-functional.
»

Somehow, this seems to allow URIBL to do what it does: they state that
returning 127.0.0.1 means you're an undesired client and you have the
chance to trap that flag (with the right software, at least)...


On the other side, there's point 3.4:

«
The DNSBL operator MUST issue impending shutdown warnings (on the
DNSBL web site, appropriate mailing lists, newsgroups, vendor
newsletters, etc.), and indicate that the DNSBL is inoperative using
the signaling given in Section 3.3.
[...]

The shutdown procedure should have the following properties:

1. MUST NOT list the entire Internet
»


One could argue they're not shutting down (just listing the Internet
:-D) so the point does not apply, but IMHO the underlying concept is.

After all, they're trying to force the offending customers to change
their configurations, just as during shutdowns...


--
Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.
-----------------------------------------------------------------------------
http://bofhskull.wordpress.com/

On Jan 24, 2012, at 10:59 AM, David Romerstein wrote:

> On 1/24/12 1:50 PM, John R. Levine wrote:
>>> Listing the world for folks overloading your system is unlikely to have
>>> the effect that you want, and is most likely going to impact folks who
>>> have no say in the configuration of the receiving mail server.
>>
>> You may be right, but I have to have some sympathy for BL operators who
>> are getting bombed by clueless misconfigurations.
>
> I do not, in any way, disagree with this.
>
> I'm just wondering if there's a middle ground that can stop BL operators from being abused by (willfully or unwillfully) clueless folks without severely impacting innocent users. Something more than "just sit back and take all those stupid queries" and less than "return a response code that could indicate a listing for every one of those stupid queries".

The innocent users are the people who are abusing the blacklist and those who send email to them. And most of them are using blacklist data for scoring, not for blocking. Listing the world doesn't usually affect them much at all.

There really isn't much of a middle ground. If you have non-broken software querying the blacklist then there aren't any problems - it'll shut down gracefully when the blacklist goes away. But if the software querying the blacklist doesn't do that (and almost everything deployed is broken in that way) then you really only have three options as a blacklist operator:

1. List nothing
2. List everything
3. List things at random

(1) leads to no change, you get to keep fielding bogus DNS requests until the end of time.
(2) causes immediate change at abusers who are using the blacklist to block email, and maximises the chance of someone using the data as part of a scoring based system noticing
(3) is worse than either, as it will potentially cause some mail to be lost but is much less likely to cause people to stop using the list

This isn't a trivial problem, nor a trivial amount of traffic. In the past, I've had service overages of >$2000/mo due to massive DNSBL traffic to cbl.abuseat.com (which isn't a DNSBL, so returns "not listed" for every query).

I'm currently eating quite amazing amounts of misconfigured CBL lookup traffic (hundreds of different ways to misspell cbl.abuseat.org) - and configuring my zones to list everything still doesn't stop the traffic. I've played with long TTL delegations to non-routable addresses and suchlike, and it doesn't have much effect either. At some point I'll probably start running a "stunt" server rather than powerdns for that zone, and be more creative with how I handle the abusive queries.

Cheers,
Steve

At 11:23 25-01-2012, Dave Warren wrote:
>I have to wonder, if a DNSBL were being operated entirely on a free
>basis (rather than a freemium model), might it not be better to take
>advantage of the large caches out there rather than having thousands
>of individual servers performing the same mundane set of lookups individually?

There are no large caches out there. That's not how DNS works in my opinion.

>Obviously this negates the DNSBL's ability to try and pull cash out
>of the larger entities, but purely from a resource management point
>of view, if someone wants to offer a front-line cache for free,
>surely that should reduce load.

It is expensive to provide such a cache for free. Why would someone
want to offer such a service for free?

Regards,
-sm