Mailing List Archive: SpamAssassin: devel

[Bug 6803] Add input validation to responses from DNSBL queries

Index | Next | Previous | View Threaded

bugzilla-daemon at bugzilla

Jun 8, 2012, 12:38 AM

Post #1 of 13 (391 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

Jeff Chan <jeffc [at] surbl> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jeffc [at] surbl

--- Comment #1 from Jeff Chan <jeffc [at] surbl> ---
Whoops, that should be 127/8.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 5:53 AM

Post #2 of 13 (374 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

Kevin A. McGrail <kmcgrail [at] pccc> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |kmcgrail [at] pccc
Resolution|--- |DUPLICATE

--- Comment #2 from Kevin A. McGrail <kmcgrail [at] pccc> ---
Jeff,

This is really a duplicate of Bug 6728. As you'll see that bug gets messy
because there is an RFC for RBLs that hasn't gained any traction IMO.

However, see http://wiki.apache.org/spamassassin/DnsBlocklists and see
http://wiki.apache.org/spamassassin/DnsBlocklistsInclusionPolicy.

And as noted, we have a BLOCKED response code available that even points to a
page and mentions using your own DNS, etc.

Perhaps SURBL can implement the BLOCKED response code as well and join the
other two RBLs for SA that have that implemented?

Regards,
KAM

*** This bug has been marked as a duplicate of bug 6728 ***

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 7:55 AM

Post #3 of 13 (373 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

--- Comment #3 from Jeff Chan <jeffc [at] surbl> ---
SURBL is not doing blocking the way the other lists are, therefore that issue
is not affecting users of SURBL data, and this issue is different from 6728.

The biggest problem is deliberate DNS corruption mostly by provider's
nameservers. That potentially affects *all* DNSBLs.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 7:56 AM

Post #4 of 13 (376 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

Jeff Chan <jeffc [at] surbl> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|DUPLICATE |---

--- Comment #4 from Jeff Chan <jeffc [at] surbl> ---
Not a duplicate. The issue raised is entirely different.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 8:01 AM

Post #5 of 13 (372 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

--- Comment #5 from Kevin A. McGrail <kmcgrail [at] pccc> ---
(In reply to comment #4)
> Not a duplicate. The issue raised is entirely different.

I think not. See 6728 comment 7. It has to do with validation outside of
127/8 which has been discussed before.

If you agree, we can reopen that ticket or at least cross-reference to this
one.

Regards,
KAM

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 8:05 AM

Post #6 of 13 (376 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

John Hardin <jhardin [at] impsec> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin [at] impsec

--- Comment #6 from John Hardin <jhardin [at] impsec> ---
(In reply to comment #4)
> Not a duplicate. The issue raised is entirely different.

Agreed.

If there is some concern about standardization of valid responses to 127/8,
then allow configuration of a netblock per DNSBL site, and ignore responses
outside of that site's configured valid netblock.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 8:06 AM

Post #7 of 13 (369 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

--- Comment #7 from Darxus <Darxus [at] ChaosReigns> ---
I think the current SURBL rules only match on the last octet:

25_uribl.cf:urirhssub URIBL_SC_SURBL multi.surbl.org. A 2

This could be handled by just changing to rules to match the entire expected IP
returned, similar to:

72_active.cf:header RCVD_IN_DNSWL_HI
eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.3$')

Of course it's not the only option. Throwing some alert (rule) on non-128/8
addresses would be nice.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 8:10 AM

Post #8 of 13 (374 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

--- Comment #8 from AXB <axb.lists [at] gmail> ---
To me it makes more sense to educate ppl who have a problam than hide if from
them.
If they haven't figured out the issue on their own, they'll hardly figure out
the meaning of a warning - if they ever see it.
The only way that seems to get their attention is if they feel some pain.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 8:12 AM

Post #9 of 13 (370 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

--- Comment #9 from Kevin A. McGrail <kmcgrail [at] pccc> ---
(In reply to comment #8)
> To me it makes more sense to educate ppl who have a problam than hide if
> from them.
> If they haven't figured out the issue on their own, they'll hardly figure
> out the meaning of a warning - if they ever see it.
> The only way that seems to get their attention is if they feel some pain.

SA cannot promote a position where rules purposefully trigger causing
inaccurate results to gain Admin attention. I have and will fight that tooth
and nail.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 8:15 AM

Post #10 of 13 (371 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

--- Comment #10 from Jeff Chan <jeffc [at] surbl> ---
Comment 7 of bug 6728 is arguably off topic for that bug. The issue in this
bug is different from the core purpose of the other bug which is to correctly
interpret a signal of being deliberately blocked.

This bug is about unintentional DNS corruption by intermediary recursive
nameservers. The other bug is about intentional signalling of being blocked
via a special response by authoritative nameservers. These are not the same
issues.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 8:16 AM

Post #11 of 13 (371 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

--- Comment #11 from Jeff Chan <jeffc [at] surbl> ---
(In reply to comment #7)
> I think the current SURBL rules only match on the last octet:
>
> 25_uribl.cf:urirhssub URIBL_SC_SURBL multi.surbl.org. A 2
>
> This could be handled by just changing to rules to match the entire expected
> IP returned, similar to:
>
> 72_active.cf:header RCVD_IN_DNSWL_HI
> eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.3$')
>
> Of course it's not the only option. Throwing some alert (rule) on non-128/8
> addresses would be nice.

SURBL may want to use other than the last octet. Therefore 127/8 is better and
more universal with respect to other DNSBLs some of which do use the other
octets.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 8:22 AM

Post #12 of 13 (376 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

--- Comment #12 from Kevin A. McGrail <kmcgrail [at] pccc> ---
I can agree this ticket can stay open and leave the other resolved.

I believe we need an alert rule that triggers for ANY rbl respond outside of
127/8. Then if local admins don't like it SCORE 0 would disable. The
description of the rule will link to a page that discussing using your own DNS,
etc.

I think this is the best course of action short of maintaining a list regarding
every individual RBLs policy re what is a valid response.

I've ask Darxus if he can take a shot at this code.

--
You are receiving this mail because:
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Jun 8, 2012, 8:29 AM

Post #13 of 13 (372 views)
Permalink

[Bug 6803] Add input validation to responses from DNSBL queries [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803

--- Comment #13 from Jeff Chan <jeffc [at] surbl> ---
I am agnostic about what the best solution is, but I'm certain that input
validation is a very good idea that is needed and will address a too common
problem.

--
You are receiving this mail because:
You are the assignee for the bug.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads