Mailing List Archive

DNS Blacklist wildcard query: distinguish IP v4/v6 to avoid false positives
Hi Gang

I am part of the SWINOG Anti-Spam Blacklists team which are used by a
handfull of swiss ISP.

Very early, we also started adding IPv6 addresses to the blacklist but
soon noticed that there is a potential problem with IPv6 and wildcard
entries.

Let's assume 2.0.0.0/24 is full of abusers and you decide to throw their
whole /24 in the Blacklist:

*.0.0.2.dnsbl.example.org 300 in TXT "Bunch of abusers, /24 listed"

This would wrongfully block an awful lot of IPv6 addresses!

To avoid this issue, we use two different dns zones:

*.0.0.2.dnsbl.example.org 300 in TXT "Bunch of abusers, /24 listed"

*.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.dnsbl.example.org in TXT
"Spamer /64 listed"

Well, but now I need to tell SpamAssassin to only query IPv4 addresses
on the first zone and only query IPv6 addresses on the ip6 one.

I was not able to find a way to achieve this. Did I overlook something?

Mit freundlichen Grüssen

-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Re: DNS Blacklist wildcard query: distinguish IP v4/v6 to avoid false positives [ In reply to ]
I don't believe that use-case has been considered before.

What does the rule you are using look like and I will double check?

On Fri, Aug 7, 2020, 05:56 Benoit Panizzon <benoit.panizzon@imp.ch> wrote:

> Hi Gang
>
> I am part of the SWINOG Anti-Spam Blacklists team which are used by a
> handfull of swiss ISP.
>
> Very early, we also started adding IPv6 addresses to the blacklist but
> soon noticed that there is a potential problem with IPv6 and wildcard
> entries.
>
> Let's assume 2.0.0.0/24 is full of abusers and you decide to throw their
> whole /24 in the Blacklist:
>
> *.0.0.2.dnsbl.example.org 300 in TXT "Bunch of abusers, /24 listed"
>
> This would wrongfully block an awful lot of IPv6 addresses!
>
> To avoid this issue, we use two different dns zones:
>
> *.0.0.2.dnsbl.example.org 300 in TXT "Bunch of abusers, /24 listed"
>
> *.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.dnsbl.example.org in TXT
> "Spamer /64 listed"
>
> Well, but now I need to tell SpamAssassin to only query IPv4 addresses
> on the first zone and only query IPv6 addresses on the ip6 one.
>
> I was not able to find a way to achieve this. Did I overlook something?
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-
> --
> I m p r o W a r e A G - Leiter Commerce Kunden
> ______________________________________________________
>
> Zurlindenstrasse 29 Tel +41 61 826 93 00
> CH-4133 Pratteln Fax +41 61 826 93 01
> Schweiz Web http://www.imp.ch
> ______________________________________________________
>
Re: DNS Blacklist wildcard query: distinguish IP v4/v6 to avoid false positives [ In reply to ]
Benoit Panizzon skrev den 2020-08-07 11:56:

> Well, but now I need to tell SpamAssassin to only query IPv4 addresses
> on the first zone and only query IPv6 addresses on the ip6 one.

single zone with recults code for ipv4 and ipv6 ranges, the text record
need to be overlaping in ipv4 and ipv6, but it can be seperated in
results code

> I was not able to find a way to achieve this. Did I overlook something?

if its possible its good to check default rules :=)

check tflags, i have lost if this can seperate ipv4 and ipv6 here, and
goodgle is not my friend
Re: DNS Blacklist wildcard query: distinguish IP v4/v6 to avoid false positives [ In reply to ]
Hi!

> I don't believe that use-case has been considered before.
>
> What does the rule you are using look like and I will double check?

Not even sure why you want to add that with the asteriks there.

> Let's assume 2.0.0.0/24 is full of abusers and you decide to throw their
> whole /24 in the Blacklist:
>
> *.0.0.2.dnsbl.example.org 300 in TXT "Bunch of abusers, /24 listed"

Isnt the issue the way you load up your rbldnsd zone?

:127.0.0.2:https://www.wellknownblocklist.org/query/ip/$
1.0.20.0/24
1.0.128.0/17
!1.0.180.136

You should not use asteriks but the netmask?

Bye, Raymond
Re: DNS Blacklist wildcard query: distinguish IP v4/v6 to avoid false positives [ In reply to ]
On 7 Aug 2020, at 5:56, Benoit Panizzon wrote:

> Hi Gang
>
> I am part of the SWINOG Anti-Spam Blacklists team which are used by a
> handfull of swiss ISP.
>
> Very early, we also started adding IPv6 addresses to the blacklist but
> soon noticed that there is a potential problem with IPv6 and wildcard
> entries.

Easy fix: do not use wildcards in IPv4 listings.

Both rbldnsd and BIND have other mechanisms for compactly generating
records that cover an IPv4 /24 network without also generating records
for all of an IPv6 /24 network. I would expect and hope that any other
authoritative nameserver would have similar mechanisms.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Re: DNS Blacklist wildcard query: distinguish IP v4/v6 to avoid false positives [ In reply to ]
Hi Bill

> Easy fix: do not use wildcards in IPv4 listings.

I agree, for the purpose of a 'listed yes/no' blacklist this is the
way to go.

> Both rbldnsd and BIND have other mechanisms for compactly generating
> records that cover an IPv4 /24 network without also generating records
> for all of an IPv6 /24 network. I would expect and hope that any other
> authoritative nameserver would have similar mechanisms.

How about reputation databases which might cover the whole ipv4 range
and use more or less specific ranges with different reputation wights?

You would need quite a big DNS server to cover all 4G of ipv4 space.

And what about operators of blacklists which do use wildcards, because
they are not aware that spamassassin will also look up ipv6 addresses
against them and potentially cause false hits?

So having a way to tell spamassassin to restrict lookups on certain
blacklist with ip addresses from only one protocol version only could
still be beneficial.

Mit freundlichen Grüssen

-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Re: DNS Blacklist wildcard query: distinguish IP v4/v6 to avoid false positives [ In reply to ]
On Fri, 7 Aug 2020 11:56:45 +0200
Benoit Panizzon wrote:



> Well, but now I need to tell SpamAssassin to only query IPv4 addresses
> on the first zone and only query IPv6 addresses on the ip6 one.
>
> I was not able to find a way to achieve this. Did I overlook
> something?
>

It can almost be done with AskDNS, which has distinct A and AAAA
lookups. It looks like all that's needed is a reversed version
_LASTEXTERNALIP_.
Re: DNS Blacklist wildcard query: distinguish IP v4/v6 to avoid false positives [ In reply to ]
On Sat, 8 Aug 2020 16:21:24 +0100
RW wrote:

> On Fri, 7 Aug 2020 11:56:45 +0200
> Benoit Panizzon wrote:
>
>
>
> > Well, but now I need to tell SpamAssassin to only query IPv4
> > addresses on the first zone and only query IPv6 addresses on the
> > ip6 one.
> >
> > I was not able to find a way to achieve this. Did I overlook
> > something?
> >
>
> It can almost be done with AskDNS, which has distinct A and AAAA
> lookups. It looks like all that's needed is a reversed version
> _LASTEXTERNALIP_.

Sorry, that's nonsense.