On 29 Jul 2015, at 12:02, Marc Perkel wrote:
Just wondering.
I'm thinking about creating an RBL to block email addresses. But you
can't use an @ in a hostname for lookups. So - is there a standard RBL
format for email addresses or do I need to just make something up?
Are you unaware of the standard DNS method for expressing an email
address in a manner indistinguishable from a FQDN? Check your favorite
SOA record (or any valid SOA record) for an example.
However, note that the rules for what can be in a local-part of an email
address and what can distinguish them from each other are much unlike
the rules for what can be in a valid DNS label and what can distinguish
valid DNS label from each other. The '@' is not even an issue, since DNS
has had a standard way to handle that essentially forever. Issues
include:
1. 'PoStMastEr'=='postmaster' but 'UserName'!='username' except in most
places it really does, but you can't tell where the oddballs are.
2. '.' is a valid and widely used character in email local-parts. See
the way DNS expresses email addresses for why this is a problem.
3. Technically, the rules for the SMTP sender address and for addresses
in message header fields (e.g. "From:") are not identical. Whatever you
document your DNSBL as applying to, people will use it for both of these
and blame you when they get hurt by a corner case.
4. There are a huge variety of tricks played with email local-parts that
are not part of any standard and which MTAs MUST NOT assume to be
applicable in any domains for which they are not an authorized
local-part trickster. This means that in practice there are many
addresses which are the de facto 'canonical form' for extremely large
sets of variants which might be used in SMTP envelopes and/or message
headers, but there is no way for outsiders to canonicalize those
variants. The most obvious examples are the "+" mechanism which has at
least 3 variant implementations but is inapplicable in many mail systems
and GMail's misguided handling of '.' in local-parts which is unique to
them and at odds with the original conceptual model of email addresses,
but is not formally wrong.
Executive summary: If you can't be dissuaded from the concept, do it
like a domain-wise DNSBL, turn '@' into '.' and hash the whole
unmodified local-part as the terminal label. Then anticipate widespread
trivial evasion if it becomes at all popular, unless you do things to
prevent that which will cause occasional collisions with innocent
victims.
