[Bug 4242] FN on URIBL_SBL when NS for URI is IP not hostname

8 Apr 2005 13:15:35 -0000 

http://bugzilla.spamassassin.org/show_bug.cgi?id=4242





------- Additional Comments From [EMAIL PROTECTED]  2005-04-08 06:15 -------
Not fixed.

Need to change /^$IP_PRIVATE$/ in both places to /$IP_PRIVATE/ without the ^ and
 $
as IP_PRIVATE only defines the beginnings of private IPs eg ^127.- and also
already has the ^ anchor.  ie ^$IP_PRIVATE$ is ^^127$ and others


eg below  is wrong. 

( Test with 127.0.0.2 in URL in an email as this is listed in sbl.spamhaus.org.)


+      if ($nsmatch =~ /^\d+\.\d+\.\d+\.\d+\.?$/) {
+
$nsmatch =~ s/\.$//;
+
# only look up the IP if it is public and valid
+
if ($nsmatch =~ /^$IPV4_ADDRESS$/ && $nsmatch !~ /^$IP_PRIVATE$/) {
+
  $self->lookup_dnsbl_for_ip($scanstate, $ent->{obj}, $nsmatch);
+
+
}
+      }
+      else {
+
$self->lookup_a_record($scanstate, $ent->{obj}, $nsmatch);

BTW the logic of sbl.spamhaus lookups seems slightly strange at first, but seems
like a fair approach.  If a URI is an IP the IP gets looked up directly against
sbl.  There are no NS records for an IP. But if URI is a domain name the IPs of
the NS for the domain are looked up.

The logic of spammers is quite good.   Do the spam run with IPs for NS records
to evade detection by automated spam detectors such as spamassassin.  Set the
TTLs low on the NS records so that by the time the spam run completes and users
start reading their mail all the URIs work and take you to the web sites. 
Sooner or later they'll work out that an even better approach is to put any old
garbage in the NS records and the patch will no longer be effective. What is
needed then is a new set of rules to detect garbage NS records and NS records
with low TTLs and to score these heavily.

Its hard to say how much extra spam is detected by the fix as the domains all
have proper hostname NS records by the time you go go back and test them.  You'd
need a rule that detects IPs or other garbage NS records and log  matches to
this rule.  (Why bother even looking up the IP NS record against SBL.  Just
assign a score to IP NS records.)





------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Reply via email to