Re: dnsbl or spamhaus occassionally blocks wrong IP

Tue, 14 Mar 2006 13:29:49 -0800 

On 2006-03-14 19:30:55 +0000, Justin Mason wrote:
> 
> interesting.  sounds a lot like:
> 
>   http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3997

Yes, thanks. I think that is the same issue.

> Peter J. Holzer writes:
> > I found 4 more mails in the last three months which were rejected
> > where the IP-Address in the error message doesn't match the IP
> > address of the connection.
[...]
> > * dnsbl sometimes gets a response to a query sent by a different
> >   forkserver child. I guess it would be possible that two forkserver
> >   processes running after each other get the same UDP port and the
> >   second gets a reply packet intended for the first. However, I would
> >   expect that Net::DNS checks whether an answer matches the query it
> >   sent ...

My expectation was wrong. As Sidney Markowitz in
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3997#c73 points
out:

| Net::DNS can't use the ID field to ensure that a bgread matches up with
| a bgsend unless it cached every socket returned by bgsend in order to
| save the ID in a hash with it.

So the matching has to be done by the application. We don't actually
have to check the ID (although we probably should to avoid spoofed
responses), but we should at least check if the name in the request
matches the name in the query. (currently the name is only extracted to
find out which rbl this was)

While investigating this (and before reading your mail) I found out two
other facts which are rather bad:

1) Net::DNS by default uses port 0, and Linux seems to assign ports
   sequentially. This makes it rather easy to guess port numbers.

2) Net::DNS assigns a random id when the package is loaded and just
   increments the id for each request. This also makes ID guessing easy.
   What's worse, with forkserver the package is loaded in the parent
   process, so every child goes through the same sequence of IDs!
   It doesn't matter in this case, since the ID isn't checked anyway,
   but for synchroneous requests it makes a difference.

        hp

-- 
   _  | Peter J. Holzer    | Ich sehe nun ein, dass Computer wenig
|_|_) | Sysadmin WSR       | geeignet sind, um sich was zu merken.
| |   | [EMAIL PROTECTED]         |
__/   | http://www.hjp.at/ |    -- Holger Lembke in dan-am

Attachment: pgpe8j3hDka2y.pgp
Description: PGP signature

Reply via email to