[Mimedefang] how to undo Verisigns mess

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Tue Sep 16 10:04:01 EDT 2003 

Hi!

> Hi, 
> 
> has anybody thought about what to make the best out of the mess Verisign
made 
> in respect to SPAM scoring / sender address domain checking?
> 
> Since recently, all .net and .com domains started to resolve, pointing to
a 
> verisign owned server that shows a customized webpage. As per DNS this is
an 
> A record, the "check if domain is resolvable" check of many mailers (and 
> spamassassin) has been effectively nullified. 
> 
> I was thinking about adding a check for an explicit MX record (which
versign 
> does not set currently). 
> 
> As an example, try looking up the nonexistent domain 
> "roaringpiguin.com" (David forgive me for that little pun ;-) )
> 
> $ dig roaringpiguin.com
> 
> ; <<>> DiG 9.2.2 <<>> roaringpiguin.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34535
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
> 
> ;; QUESTION SECTION:
> ;roaringpiguin.com.             IN      A
> 
> ;; ANSWER SECTION:
> roaringpiguin.com.      900     IN      A       64.94.110.11
> 
> 
> another solution might be to discard DNS checks which 
> reverse-resolve to 
> sitefinder-idn.verisign.com., but I don't know how stable 
> that will be. 
> 
> 
> Dirk

No mimedefang solution, but a sendmail ruleset made and posted by Richard
Rognlie on comp.mail.sendmail:

LOCAL_CONFIG
Kbestmx bestmx -z/
Khostip dns -RA

LOCAL_RULESETS
SLocal_check_mail
R$*                     $: $>canonify $1
R<@>                    $@ <@>
R$*<@$*.>               $: $1<@$2>              strip the trailing . if 
present
R$*<@$+>                $: $2 $| $>CheckBrokenVerisign $2
R$* $| $#$*             $#$2
R$+ $| $*               $: $1 $| $>CheckBadMX $( bestmx $1 $) /
R$* $| $#$*             $#$2

SCheckBrokenVerisign
R$*                     $: $(hostip $1 $)
R64.94.110.11           $#error $@ 5.5.4 $: "550 Real domain name 
required for sender address"
R127.0.0.1              $#error $@ 5.5.4 $: "550 Real domain name 
required for sender address"

SCheckBadMX
R$* / $*                $>CheckThisMX $1 / $2

SCheckThisMX
R$* / $*                $: $(hostip $1 $) $| $2
R127.0.0.1 $| $*        $#error $@ 5.5.4 $: "550 sender does not resolve 
to a replyable domain"
R$* $| $*               $@ $2


Be sure to put in tabs between LHS and RHS.

Alexander


-- 
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416  14CD E197 6E88 ED69 5653

More information about the MIMEDefang mailing list