develooper Front page | perl.qpsmtpd | Postings from March 2006

Re: dnsbl or spamhaus occassionally blocks wrong IP

Thread Previous | Thread Next
From:
Peter J. Holzer
Date:
March 14, 2006 13:29
Subject:
Re: dnsbl or spamhaus occassionally blocks wrong IP
Message ID:
20060314212933.GD19939@teal.hjp.at
On 2006-03-14 19:30:55 +0000, Justin Mason wrote:
> 
> interesting.  sounds a lot like:
> 
>   http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3997

Yes, thanks. I think that is the same issue.

> Peter J. Holzer writes:
> > I found 4 more mails in the last three months which were rejected
> > where the IP-Address in the error message doesn't match the IP
> > address of the connection.
[...]
> > * dnsbl sometimes gets a response to a query sent by a different
> >   forkserver child. I guess it would be possible that two forkserver
> >   processes running after each other get the same UDP port and the
> >   second gets a reply packet intended for the first. However, I would
> >   expect that Net::DNS checks whether an answer matches the query it
> >   sent ...

My expectation was wrong. As Sidney Markowitz in
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3997#c73 points
out:

| Net::DNS can't use the ID field to ensure that a bgread matches up with
| a bgsend unless it cached every socket returned by bgsend in order to
| save the ID in a hash with it.

So the matching has to be done by the application. We don't actually
have to check the ID (although we probably should to avoid spoofed
responses), but we should at least check if the name in the request
matches the name in the query. (currently the name is only extracted to
find out which rbl this was)

While investigating this (and before reading your mail) I found out two
other facts which are rather bad:

1) Net::DNS by default uses port 0, and Linux seems to assign ports
   sequentially. This makes it rather easy to guess port numbers.

2) Net::DNS assigns a random id when the package is loaded and just
   increments the id for each request. This also makes ID guessing easy.
   What's worse, with forkserver the package is loaded in the parent
   process, so every child goes through the same sequence of IDs!
   It doesn't matter in this case, since the ID isn't checked anyway,
   but for synchroneous requests it makes a difference.

	hp

-- 
   _  | Peter J. Holzer    | Ich sehe nun ein, dass Computer wenig
|_|_) | Sysadmin WSR       | geeignet sind, um sich was zu merken.
| |   | hjp@hjp.at         |
__/   | http://www.hjp.at/ |	-- Holger Lembke in dan-am

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About