[Dshield] Need some help testing

Walter Dnes waltdnes at waltdnes.org
Tue Jul 10 04:11:26 GMT 2007 

On Sat, Jul 07, 2007 at 09:32:03PM -0700, Tomas L. Byrnes wrote
> If you use drafts for public connectivity, you are asking for trouble.
> What you propose is akin to trying to run OSPF and/or BGP with all
> connected peers, and not accepting traffic from those that don't
> provide you routing information via those methods.

  I use very similar rules, and was not aware of the draft.  My rules
evolved over time based on trial-and-error, and not getting a bunch of
false-positives.

> PTR records are created for many reasons, and in many cases have
> been around a lot longer than the drafts you reference or their
> predecessors, and are usually used by the OSS/NMS systems for node
> identification, so changing them is a non-trivial exercise.
> 
> IMNSHO, your approach has a very high probability of false positives.

  First a slightly off-topic note, does anyone know what's up with
clss.net (Aurora Internet)?  They seem to have been down since the
weekend.  I normally use them as my personal domain's MX handler,
because they allow *ENDUSERS* to implement the type of smtp-stage
filtering (rejects get the big 550, *NOT A DSN*) being discussed here.
Here are some of the rules I use...

# reject email from sites whose rDNS smells dynamic
PIREJECTREGEX [0-9]+-[0-9]+-[0-9]+
PIREJECTREGEX [0-9]+\.[0-9]+\.[0-9]+
PIREJECTREGEX adsl
PIREJECTREGEX dhcp
PIREJECTREGEX dynamic
PIREJECTTAIL ipt.aol.com
PIREJECTTAIL dslaccess.aol.com
PIREJECTTAIL res.rr.com
PIREJECTTAIL cpe.net.cable.rogers.com


  PIREJECTREGEX matches any part of the RDNS
  PIREJECTTAIL matches against the tail end of the rDNS

  Over a period of a few years I've had to whitelist only 2 people.  In
both cases, the false positive came from matching the first 2 rules
above.  A webhost would get a /24 from BIGISP, and the entire /24 had
rDNS like 4.3.2.1.BIGISP.com.  The webhosting service had not gotten the
rDNS changed.  Note; I do not block on the senders email address or
envelope sender mismatching the domain of the sending MTA.  The block is
based soley on the sending MTA's rDNS

  A couple of other rules I also use are...

HIREJECTTAIL waltdnes.org
REJECTNOHOSTNAME

  The first one blocks spammers HELO'ing with my domain.

  The second one blocks IP addresses with no rDNS whatsoever.

  One item I am against is *STATIC* lists of "bogon" IANA Reserved, but
otherwise valid, addresses.  Apparently, IANA allocated 99.0.0.0/8 to
ARIN back in October, and ARIN sub-allocated a bit of it to Rogers Cable
recently.  There's a thread at digitalhome.ca
http://www.digitalhome.ca/forum/showthread.php?t=63495 about Rogers
customers who are being blocked from *WEBSITES* because of the
addresses.  I assume that any small ISP that set up in 99.0.0.0/8 would
also experience blocking against its MTA.

-- 
Walter Dnes <waltdnes at waltdnes.org> In linux /sbin/init is Job #1
Q. Mr. Ghandi, what do you think of Microsoft security?
A. I think it would be a good idea.

More information about the list mailing list