[BBLISA] DNS scams
John P. Rouillard
rouilj at cs.umb.edu
Fri Sep 18 16:10:36 EDT 2009
In message <Pine.LNX.4.44.0909181509370.27007-100000 at citation2.av8.net>,
Dean Anderson writes:
>I've been getting a ton of these in my logs lately. At first I thought
>they might be an attack on the logging system or a seriously
>misconfigured spambot.
>
>Of course, nothing is queued and I was just about to configure SEC to
>automatically add these to my local blacklist. But then it occurred to
>me that any automatic additions in a DNS failure would break legitimate
>email. If a DNS attack were used to spoof NXDOMAIN responses or DNS were
>to fail for some other reason, it would really make a mess. Of course,
>from there, it was just another hop to recall the Kaminsky/Vixie scam to
>promote DNSSEC--and this seems like another promotion of DNSSEC...
>
>reject=553 5.1.8 <spliced67 at 027cf7c2acfd4f3>... Domain of sender address
>spliced67 at 027cf7c2acfd4f3 does not exist
Well there are a few things you can do here, f you want SEC to
blacklist you can:
require the failure to continue for a day or more and only blacklist
if it seems like the pattern has outlasted any expected DNS
failure.
unblacklist automatically after three days or so to allow mail to
start flowing
however:
in this particular case, the domain is bogus, no dots in it, so a
specific rule to blacklist the host sending these obviously
impossible domains should be safe.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
More information about the bblisa
mailing list