On Fri, 25 Jul 2014 17:13:13 +0100 RW <rwmailli...@googlemail.com> wrote:
> On Thu, 24 Jul 2014 18:56:10 -0700 > jdebert wrote: > > > > > > > > > I cannot trust that the response received by sa-update is valid. > > > > Is there another method to check for updates? > > > > > > If you really cannot trust *.updates.spamassassin.org DNS > > > responses, you cannot trust *any* DNS response. Including all the > > > DNSxLs SA uses by default. And rDNS rules. And your own SMTP's > > > Received header. > > > > Wow. I never thought of that. :\ > > > Do you have any reason to think they are modifying TXT records? I'd be > surprised if they are. Typically the way this kind of thing works is > that they modify negative A-record results, or the DNS for malicious > sites. I've received empty TXT and other resource records where I was expecting something else. Sometimes the answers are not consistent. Not really sure what to make of it yet. They won't even answer for ietf.org and isc.org, and other such malicious and dangerous sites. (As everyone knows, ietf and isc are two of the most dangerous entities on the net.) But they do respond for nsfw, known malware, paedo and porno sites. And there have been a few other odd things happening here from time to time that likely could be attributed to dns shenanigans. > > I don't, so far, see a reason why this need have a significant impact > on SpamAssassin. It will probably affect NO_DNS_FOR_FROM. It might > cause problems with DNSxL per IP limits, but that depends on how it's > implemented. > I can imagine some possibilities. Whether they can get away with it or not depends on how robust authentication is, how clever their spoofing may be, and other factors. Controlling DNS is a less obvious way of controlling information than is blocking or redirecting http traffic. And it's more difficult to evade. I am curious about which other service providers use these so-called "transparent DNS proxies" and just how detectable they are. Someone's already mentioned Earthlink was probably doing dns proxying. Right now, also considering a vpn and about finding or building dns watchdogs. jd
