I've written a patch to qmail's dns lookup routines to detect the wildcard responses from Verisign and convert it internally back into a NX_DOMAIN. I think the same dynamic strategy can also be used for Postfix and Sendwhale.
-- read on here -- With Verisigns wildcard match for any unregistered domains they broke the DNS in many ways. One is that return MX checks won't work anymore and if someone mistypes a mail recipients domain the message will end up on Versigns dummy server. Today it is rejecting that stuff, but for how long given their track record? I bet they'll use it soon to grab mail froms for their spam list. We've written a patch to fix detect a TLD wildcard match and convert it into an NX_DOMAIN (domain not existent) as it should be. You can find the patch here: http://www.nrg4u.com How does it work? Since it is not possible to directly detect whether we get a faked wildcard response, we first do a "*.tld" lookup (tld is dynamic from the lookup domain). If we get a response for that, remember its IP address. Now we proceed to the true and full MX/IP lookup. Then we check if one of the IP addresses we get this time is the same as the one we remembered from the wildcard lookup. If yes, we have been tricked and skip over it. If it was the only one, well, then it's in reality a non-existent domain. The advantage of this way of doing it (instead of statically blocking Versigns IP address) is of course that it adjusts itself dynamically when Verisign changes it's setup. In one of their papers Verisign cites some other TLDs who do the same. We kill them too. The disadvantage is that we always do one more DNS lookup for "*.tld". -- Andre ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
