On Fri, 2009-07-10 at 06:15 -0400, Matt Kettler wrote: > rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: > > > >> On 07/10/2009 09:01 PM, Paweł Tęcza wrote: > >> > >>> Please see my initial post on Pastebin: > >>> > >>> http://pastebin.com/f6a83e9fb > >>> > >>> > >> If it's true that all those domains resolve to just a handful of IP > >> addresses, then why aren't they listed in - oh wait - SURBLs don't cover > >> IPs just the DNS names - argh! > >> > >> Is there a way to do SURBL lookups of the IP instead of the FQDN? > >> > >> > > Is there not some kind of 'intent' plugin for SA? > > > > Barracuda (which steal everything else) have an intent scanner that > > looks at links in mails and resolves the name to IP *AND* the AUTH NS. > > Then looking the IP's found up. > > > SA has always avoided resolving forward lookups of potentially spammer > controlled domains to IPs. This is extremely foolish to do, as it opens > you up to a variety of attacks against your DNS resolver. (resolver > cache poisoning, DoS, etc) Whilst I can see the security concern, I'm struggling to see how any properly set up resolver would be at any greater risk than clicking on the same link in an email. With SA running on a dedicated appliance any poisoning would be local only to the appliance and the risk to anything else in the network near zero. Of course this is in combination with an appliance only implementation of BIND9 to serve it's requests, so it leaves your own DNS servers alone. Sure there is a DOS risk from a nefarious domain and how you manage this will be depend on the nature of any attack. > > I can't believe they wrote it themselves - seriously I can't! What plug > > in is it? > > > > > It's no plugin I know of, but it's a feature we intentionally left out > of SA for security reasons. So given that it's a really bad idea I'd > guess barracuda did implement it themselves. They way they have implemented it may be bad but my understanding is limited and I imagine you know far more than me Matt. In my time with them I was never aware of any resolver cache poisoning issues. That said, looking at the Perl for their 'intent' engine, it seems to be doing a great deal of parsing on flat files (via .idx) some running to nearly a million lines and includes domains, telephone numbers and full uri's. That has got to be seriously inefficient. The DNS based checks come from 'real time intent' as they call it.
In principle it's a good idea to resolve links to IP's and check them out. I don't think it's foolish - but that is my opinion. The safest implementation of it is the key and how far you are prepared to go with it depends on if you want to drop the mail outright of just give it a few fractions of a point. As an aside, Barracuda have now dropped 'Bayes' by default in their version 4 spam firewall firmware. The view was spam has changed and it is not that useful in fighting it. I don't know if I agree with that or not - but I don't want to digress.