On Tuesday, April 20, 2004, 11:45:16 PM, Daniel Quinlan wrote:
Anyhow, using a bitmask is done. OPM is probably the cleanest example. We (used to, OPM is now included in another blacklist so we dropped the rules) do OPM like this:
# header __RCVD_IN_OPM eval:check_rbl('opm', 'opm.blitzed.org.') # describe __RCVD_IN_OPM Received via a relay in opm.blitzed.org # tflags __RCVD_IN_OPM net # # header RCVD_IN_OPM_WINGATE eval:check_rbl_sub('opm', '1') # describe RCVD_IN_OPM_WINGATE OPM: sender is open WinGate proxy # tflags RCVD_IN_OPM_WINGATE net # # header RCVD_IN_OPM_SOCKS eval:check_rbl_sub('opm', '2') # describe RCVD_IN_OPM_SOCKS OPM: sender is open SOCKS proxy # tflags RCVD_IN_OPM_SOCKS net # # header RCVD_IN_OPM_HTTP eval:check_rbl_sub('opm', '4') # describe RCVD_IN_OPM_HTTP OPM: sender is open HTTP CONNECT proxy # tflags RCVD_IN_OPM_HTTP net
The second argument in check_rbl_sub is the bitmask (in decimal, not hex). We'd need to make some modifications to our URIBL module to do the same for a bitmasked SURBL, but I'm sure we would.
We'd be just as happy with multiple A record returns. NJABL is a good example of this:
------- start of cut text -------------- header __RCVD_IN_NJABL eval:check_rbl('njabl', 'dnsbl.njabl.org.') describe __RCVD_IN_NJABL Received via a relay in dnsbl.njabl.org tflags __RCVD_IN_NJABL net
header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2') describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay tflags RCVD_IN_NJABL_RELAY net
header RCVD_IN_NJABL_DIALUP eval:check_rbl('njabl-notfirsthop', 'dnsbl.njabl .org.', '127.0.0.3') describe RCVD_IN_NJABL_DIALUP NJABL: dialup sender did non-local SMTP tflags RCVD_IN_NJABL_DIALUP net
header RCVD_IN_NJABL_SPAM eval:check_rbl_sub('njabl', '127.0.0.4') describe RCVD_IN_NJABL_SPAM NJABL: sender is confirmed spam source tflags RCVD_IN_NJABL_SPAM net
header RCVD_IN_NJABL_MULTI eval:check_rbl_sub('njabl', '127.0.0.5') describe RCVD_IN_NJABL_MULTI NJABL: sent through multi-stage open relay tflags RCVD_IN_NJABL_MULTI net
Good to know. Sounds like it's mostly a question of style then, though multiple A records would require no new coding whereas bitmasks would.
Using the DNSBL
Anyone can query our DNSBL through normal DNS means. Just reverse the octets and do a name lookup. For example, to check if 127.0.0.2 is present in opm.blitzed.org, do a DNS lookup on 2.0.0.127.opm.blitzed.org. Each entry in the DNSBL has an A record and a TXT record associated with it, the TXT record contains a URL to the proxy information page specific to that IP address telling the user a little information about how to sort out the proxy.
In opm.blitzed.org, the A record has an IP address of 127.1.0.x where x is a bitmask of the types of proxy that have been reported to be running on the host. The values of the bitmask are as follows:
WinGate 1 SOCKS 2 HTTP CONNECT 4 Router 8 HTTP POST 16
The bitmask approach is more compact, but the multiple A record approach is more human-readable and transparent IMO. I'm leaning towards the latter, but am interested in any other comments.
Jeff C.