On Mon, Dec 29, 2003 at 03:06:23PM -0700, the entity calling itself Edward A. Gardner stated:
> I think I understand dynamic vs. static IP addresses, and I understand why > some people feel compelled to filter on them, and why others consider that > an ill-conceived idea. But how is the filtering actually performed? Before you can filter dynamic ip addresses, you must have an idea of which addresses are dynamically assigned by an ISP. Here's a FAQ on how one dnsbl provider comes up with a list of dynamic ip addresses: http://www.dnsbl.au.sorbs.net/DUL-FAQ.html Identifying dynamic ip addresses is not straightforward unless the ISP cooperates and lists them. Before they shut down their service, easynet.nl had (IMHO) the most complete list of dynamic ip's; they also had a FAQ that explained in better detail how they developed their list. Unforutnately their FAQ also appears to be gone, but as I recall they used some heuristics to help them identify dynamic ip addresses. For example, consider the following host names: h24-67-5-214.ed.shawcable.net iam.spamsender.com You can get a pretty good clue that the first of these hostnames might be associated with a dynamic ip address; you get a little stronger clue when you actually do a lookup on this hostname and get: 24.67.5.214 Once you have the list, it works like all the other dnsbl's: you do a reverse DNS to the dnsbl server, and look at the return value. For example, using the dnsbl server 'dnsbl.sorbs.net': # nslookup 214.5.67.24.dnsbl.sorbs.net Server: <ip addr of your dns> Address: <ip addr of your dns>#53 Non-authoritative answer: Name: 214.5.67.24.dnsbl.sorbs.net Address: 127.0.0.10 The return is '127.0.0.10'. In the case of the sorbs dnsbl, that means that this address is in their "Dial-Up List", aka dynamic ip address list. This is explained further: http://www.dnsbl.us.sorbs.net/using.html > Is this simply recognizing the well-known non-routable IP addresses (10..., > 192.168.., etc.) in the source address of an incoming connection to port > 25? I don't see how that could ever happen. You're correct - it doesn't > Is it scanning email headers > for those addresses? I don't see that this would filter much of > anything. One of the "ideological battle" messages blamed some part of > this on NAT; I don't see where NAT has anything to do with this, as NAT is > not the only source of dynamic addresses. Obfuscation of technical facts is one of the problems with ideological battles :) > I'm sending this email via a dial-up PPP connection. My ISP has assigned > me IP address 209.248.81.177, derived from where I landed in the modem > pool. If I disconnect and dial-in again I will likely get a different IP > address. 209.248.81.177 is what I think is meant by "dynamic address" in > this discussion. Bingo! > When I send email, it goes from my PC to a server at my ISP. The mail > server has the static IP address 209.248.82.245. It is registered under > the DNS name mail.ophidian.com. > > The above two IP addresses appear as the first "Received:" headers in email > that I send. Right again - reading your headers from top to bottom will give the reverse order of the relays through which your message flowed to reach its final destination. However, only the ip address of the last relay (at the top of your header) can be counted on to be correct because the others are easily forged. And, FWIW, you can see who's blacklisting your & your ISP's addresses: http://www.dnsstuff.com/tools/ip4r.ch?ip=209.248.81.177 > From just the IP addresses themselves, I don't see any way to distinguish > the one address as dynamic and the other as static. One could perform a > reverse DNS lookup, which should succeed on the static address and fail on > the dynamic. It won't necessarily fail on the dynamic address; hopefully the example above showed how this works. > Is this what it means to "block mail from dynamic addresses"? To block > incoming connections to port 25 unless a reverse DNS lookup succeeds? Is > any other checking done with the results of the lookup? Typically, if a dnsbl server returns an address of the form '127.0.0.X' this means the ip address you've queried is "listed", and the connection is blocked by the receiving mail server. If nothing is returned, the address isn't listed and (may be) accepted. > I don't really understand so-called dynamic DNS, other that what seems self > evident from the name. But wouldn't that provide a way to get around such > blocking and send mail from dynamic addresses? I don't understand the term either. > A more succinct way of asking the above might be to ask how one would write > a pf filter (or an email filter) to recognize and block email from dynamic > addresses. That's a very good question (I think so since I asked more or less the same question some time ago :) I thought it would be possible to do a pf redirect based on the result of a reverse dns lookup. I posted the Q to [EMAIL PROTECTED], but Theo spit on the suggestion... other than not caring for the idea, I think he may have felt this was an unreasonable task for kernel code to perform. Since then I've wondered why it couldn't be done, but I've neither the skills nor time for it. Perhaps a daemon that simply "holds" the incoming connection long enough for it to be evaluated, and then redirects it to either spamd or port 25. I know this - in my case at least the thing that limits the effectiveness of spamd is that I can't afford enough memory to get the <spamd> table size I want to use. Accessing these addresses via a DNS-type mechanism would resolve that issue. Anyway - hope this helped. Jay
