DNSBL for email addresses?

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

DNSBL for email addresses?

Marc Perkel-3
Are there any DNSBLs out there based on email addresses? Since you can't
use an @ in a DNS lookup - how would you do DNSBL on email addresses? Is
there a standard?

--
Marc Perkel - Sales/Support
[hidden email]
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Yet Another Ninja
On 2010-12-14 15:28, Marc Perkel wrote:
> Are there any DNSBLs out there based on email addresses?

nope

> Is there a standard?

nope
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Daniel McDonald-3
In reply to this post by Marc Perkel-3



On 12/14/10 8:28 AM, "Marc Perkel" <[hidden email]> wrote:

> Are there any DNSBLs out there based on email addresses?
No.  There was an experimental list for a while.

> Since you can't
> use an @ in a DNS lookup - how would you do DNSBL on email addresses?

# This plugin creates rbl style DNS lookups for email addresses.
# There isn't any official emailbl standard yet(?) so we:
#
# 1) make md5hash of lowercased email address (no other normalizations)
# 2) lookup <hexmd5hash>.zone.example.com.


>Is
> there a standard?

Nope, but it works.  I use it locally with the emailBL.pm plugin.


--
Daniel J McDonald, CCIE # 2495, CISSP # 78281

Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Benny Pedersen
In reply to this post by Marc Perkel-3
On tir 14 dec 2010 15:28:54 CET, Marc Perkel wrote

> Are there any DNSBLs out there based on email addresses? Since you  
> can't use an @ in a DNS lookup - how would you do DNSBL on email  
> addresses? Is there a standard?

no std, but there was a test with emailbl, google it

--
xpoint http://www.unicom.com/pw/reply-to-harmful.html


Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Big Wave Dave
In reply to this post by Marc Perkel-3
On Tue, Dec 14, 2010 at 6:28 AM, Marc Perkel
<[hidden email]> wrote:
> Are there any DNSBLs out there based on email addresses? Since you can't use
> an @ in a DNS lookup - how would you do DNSBL on email addresses? Is there a
> standard?
>
> --
> Marc Perkel - Sales/Support

While not an actual DNSBL, and only loosely related... I have been
reading about:
http://code.google.com/p/anti-phishing-email-reply/

Dave
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Marc Perkel-3


On 12/14/2010 2:38 PM, Big Wave Dave wrote:

> On Tue, Dec 14, 2010 at 6:28 AM, Marc Perkel
> <[hidden email]>  wrote:
>> Are there any DNSBLs out there based on email addresses? Since you can't use
>> an @ in a DNS lookup - how would you do DNSBL on email addresses? Is there a
>> standard?
>>
>> --
>> Marc Perkel - Sales/Support
> While not an actual DNSBL, and only loosely related... I have been
> reading about:
> http://code.google.com/p/anti-phishing-email-reply/
>
> Dave
>

Thanks - looks useful.

--
Marc Perkel - Sales/Support
[hidden email]
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Cedric Knight-2
In reply to this post by Marc Perkel-3
On 14/12/10 14:28, Marc Perkel wrote:
> Are there any DNSBLs out there based on email addresses? Since you can't
> use an @ in a DNS lookup

Actually, you can use '@' in a lookup.  You just can't use it in a hostname.

Or you could convert the '@' to a '.' as is the format still used in SOA
records.

But both of these would have privacy issues: say you've received an
email via TLS, your anti-spam system suspects it might be a 419, so you
look up a Reply-To address or body email address, and you send a query
to the RBL via DNS.  But it turns out the message was private ham, and
you've lost the protection of TLS.

So a hash is best, and I'd suggest SHA1 over MD5.  And I do think the
idea is worth trying; although freemail identities are cheap, there is
still some time and effort and risk of detection involved in creating
and checking them.

CK
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

John Hardin
On Tue, 14 Dec 2010, Cedric Knight wrote:

> So a hash is best,

Agreed.

> and I'd suggest SHA1 over MD5.

Just out of curiosity, why? An MD5 hash is shorter than an SHA hash (an
important consideration when you're making lots of DNS queries of the
hash), MD5 is computationally lighter than SHA, and MD5 is robust enough
for this purpose, even though artificial collision scenarios exist.

Granted I wouldn't sign a legal document with it any more, but for a
private perfect hash of an email address, why not?

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Mine eyes have seen the horror of the voting of the horde;
   They've looted the fromagerie where guv'ment cheese is stored;
   If war's not won before the break they grow so quickly bored;
   Their vote counts as much as yours.                          -- Tam
-----------------------------------------------------------------------
  Tomorrow: Bill of Rights day
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

RW-15
On Tue, 14 Dec 2010 15:52:28 -0800 (PST)
John Hardin <[hidden email]> wrote:

> On Tue, 14 Dec 2010, Cedric Knight wrote:
>
> > So a hash is best,
>
> Agreed.
>
> > and I'd suggest SHA1 over MD5.
>
> Just out of curiosity, why? An MD5 hash is shorter than an SHA hash
> (an important consideration when you're making lots of DNS queries of
> the hash), MD5 is computationally lighter than SHA, and MD5 is robust
> enough for this purpose, even though artificial collision scenarios
> exist.
>
> Granted I wouldn't sign a legal document with it any more, but for a
> private perfect hash of an email address, why not?


I don't see that there's all that much added security anyway.

I don't think spammers are likely to intercept dns as a way of
harvesting addresses.  

As far as general privacy is concerned, without a shared-secret anyone
can generate the hash and look for known addresses. And if you don't add
salt to the hash, it's going to be fairly easy to perform an efficient
dictionary attack, in which case the choice of hash function makes
little difference.
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Philip Prindeville
In reply to this post by Cedric Knight-2
On 12/14/10 3:35 PM, Cedric Knight wrote:
> On 14/12/10 14:28, Marc Perkel wrote:
>> Are there any DNSBLs out there based on email addresses? Since you can't
>> use an @ in a DNS lookup
> Actually, you can use '@' in a lookup.  You just can't use it in a hostname.
>
> Or you could convert the '@' to a '.' as is the format still used in SOA
> records.

Not just SOA records, but the MB records were supposed to use this as well.  They just never caught on.

-Philip

Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Oguz Yilmaz
In reply to this post by Marc Perkel-3
You can try right hand side black lists (RHSBL) for domain part.


On Tue, Dec 14, 2010 at 4:28 PM, Marc Perkel
<[hidden email]> wrote:

> Are there any DNSBLs out there based on email addresses? Since you can't use
> an @ in a DNS lookup - how would you do DNSBL on email addresses? Is there a
> standard?
>
> --
> Marc Perkel - Sales/Support
> [hidden email]
> http://www.junkemailfilter.com
> Junk Email Filter dot com
> 415-992-3400
>
>
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

David B Funk
In reply to this post by Marc Perkel-3
On Tue, 14 Dec 2010, Marc Perkel wrote:

> Are there any DNSBLs out there based on email addresses? Since you can't
> use an @ in a DNS lookup - how would you do DNSBL on email addresses? Is
> there a standard?
>

Why do you say "Since you can't use an @ in a DNS lookup"??
Unless you're using obsolete software there's no reason you cannot.

EG:

 % nslookup '[hidden email]'
 Server:  dns2.icaen.uiowa.edu
 Address:  128.255.17.20

 Name:    acc\@khath.com.phish.icaen.uiowa.edu
 Address:  127.0.0.2

 % nslookup '[hidden email]'
 Server:  dns2.icaen.uiowa.edu
 Address:  128.255.17.20

 *** dns2.icaen.uiowa.edu can't find [hidden email]:
 Non-existent host/domain

and that's with bind-9.4, not a particularly new revision.

--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Bowie Bailey
In reply to this post by Philip Prindeville
On 12/14/2010 8:31 PM, Philip Prindeville wrote:

> On 12/14/10 3:35 PM, Cedric Knight wrote:
>> On 14/12/10 14:28, Marc Perkel wrote:
>>> Are there any DNSBLs out there based on email addresses? Since you
>>> can't
>>> use an @ in a DNS lookup
>> Actually, you can use '@' in a lookup.  You just can't use it in a
>> hostname.
>>
>> Or you could convert the '@' to a '.' as is the format still used in SOA
>> records.
>
> Not just SOA records, but the MB records were supposed to use this as
> well.  They just never caught on.

So how does this work for an address like [hidden email]?  This
would be converted to first.last.example.com, which is ambiguous and
likely decoded to [hidden email].

--
Bowie
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Cedric Knight-2
In reply to this post by RW-15
On 15/12/10 00:43, RW wrote:

> On Tue, 14 Dec 2010 15:52:28 -0800 (PST)
> John Hardin <[hidden email]> wrote:
>
>> On Tue, 14 Dec 2010, Cedric Knight wrote:
>>
>>> So a hash is best,
>>
>> Agreed.
>>
>>> and I'd suggest SHA1 over MD5.
>>
>> Just out of curiosity, why? An MD5 hash is shorter than an SHA hash
>> (an important consideration when you're making lots of DNS queries of
>> the hash), MD5 is computationally lighter than SHA, and MD5 is robust
>> enough for this purpose, even though artificial collision scenarios
>> exist.

Maybe I was being over-cautious, based on articles (which I can't find
online any more) suggesting MD5 is likely to become trivial to crack in
future owing to mathematical shortcuts.  It's not as if you can recover
the data from a hash, or even (as I read it) that you can create a
collision for any given hash yet, but there may be a problem in any
context with assuming something is secure when it's only semi-secure.

I am not a mathematician or security expert, therefore I am swayed by
pronouncements from US-CERT:
"Do not use the MD5 algorithm
Software developers, Certification Authorities, website owners, and
users should avoid using the MD5 algorithm in any capacity. As previous
research has demonstrated, it should be considered cryptographically
broken and unsuitable for further use."
http://www.kb.cert.org/vuls/id/836068

OK, so this isn't a cryptographic application.  I'm just thinking
future-proofing.  Some background for non-experts like me:
http://www.maa.org/devlin/devlin_02_06.html

SHA1 is 40 characters, as against MD5's 32, which isn't such a great
difference, considering an IPv6 lookup is 64 under rfc5782.

>> Granted I wouldn't sign a legal document with it any more, but for a
>> private perfect hash of an email address, why not?
>
> I don't see that there's all that much added security anyway.
>
> I don't think spammers are likely to intercept dns as a way of
> harvesting addresses.  
>
> As far as general privacy is concerned, without a shared-secret anyone
> can generate the hash and look for known addresses. And if you don't add
> salt to the hash, it's going to be fairly easy to perform an efficient
> dictionary attack, in which case the choice of hash function makes
> little difference.

I wasn't thinking of harvesting by spammers, but by (say) a government
authority that does not already have a dictionary of addresses that is
known to be complete.  This is information in non-spam bodies that might
be looked up (well it would be if you want to use it to block 419
scams).  Also, possibly people might want to use the same hashing
standard for a DNSWL of (maybe DKIM-verified) email addresses, meaning
that list would be abusable by spammers who are able to create a hash
collision.

CK
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

mouss-4
In reply to this post by John Hardin
Le 15/12/2010 00:52, John Hardin a écrit :

> On Tue, 14 Dec 2010, Cedric Knight wrote:
>
>> So a hash is best,
>
> Agreed.
>
>> and I'd suggest SHA1 over MD5.
>
> Just out of curiosity, why? An MD5 hash is shorter than an SHA hash (an
> important consideration when you're making lots of DNS queries of the
> hash), MD5 is computationally lighter than SHA, and MD5 is robust enough
> for this purpose, even though artificial collision scenarios exist.
>

because it's good to abandon weak algorithms, once for all. the small
wanna be performance benefit that you might find is useless.

we keep seeing people using weak stuff because "it's enough" and "it's
faster/lighter/..." with the results that you know.


if you're worried about performace, don't hash at all. would you use a
cesar/base64/... ? either you need security and you use an algorithm
that's not considered broken, or you don't.



> Granted I wouldn't sign a legal document with it any more, but for a
> private perfect hash of an email address, why not?

it's weak. don't use it anymore. we have many "secure" alternatives, why
go for "bugward compatibility"?

Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

mouss-4
In reply to this post by Marc Perkel-3
Le 14/12/2010 15:28, Marc Perkel a écrit :
> Are there any DNSBLs out there based on email addresses? Since you can't
> use an @ in a DNS lookup - how would you do DNSBL on email addresses? Is
> there a standard?
>

you an still use something like

[hidden email] => john.doe._address.example.com

but you still need to convert those special chars which are allowed in
local parts.

do you really think there is a need to list email addresses? if yes,
then may be you can define a subset instead of all possible addresses.
after all, spammers don't use all possible representations, do they?
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

owenc
On Dec 23, 2010, at 12:35 PM, mouss wrote:

> do you really think there is a need to list email addresses? if yes,
> then may be you can define a subset instead of all possible addresses.
> after all, spammers don't use all possible representations, do they?

May not, but they'd definitely start using anything that didn't fit into your model once you started having any success with it.

Chris

--
-------------------------------------------------------------------------
Chris Owen         - Garden City (620) 275-1900 -  Lottery (noun):
President          - Wichita     (316) 858-3000 -    A stupidity tax
Hubris Communications Inc      www.hubris.net
-------------------------------------------------------------------------


Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

mouss-4
Le 23/12/2010 19:40, Chris Owen a écrit :
> On Dec 23, 2010, at 12:35 PM, mouss wrote:
>
>> do you really think there is a need to list email addresses? if yes,
>> then may be you can define a subset instead of all possible addresses.
>> after all, spammers don't use all possible representations, do they?
>
> May not, but they'd definitely start using anything that didn't fit into your model once you started having any success with it.
>

that's not a problem. we don't want to block every possible thing. we
want to block common things. if spammers start using "special" forms, we
can deal with that.
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

Bob Proulx
In reply to this post by mouss-4
mouss wrote:
> John Hardin a écrit :
> > Just out of curiosity, why? An MD5 hash is shorter than an SHA hash (an
> > important consideration when you're making lots of DNS queries of the
> > hash), MD5 is computationally lighter than SHA, and MD5 is robust enough
> > for this purpose, even though artificial collision scenarios exist.
>
> because it's good to abandon weak algorithms, once for all. the small
> wanna be performance benefit that you might find is useless.

But the logical conclusion of that argument is that all hashes are
insecure and none should ever be used.  Because even though SHA is
considered secure today the expected trend is that it will also fall
to attacks in the future and be replaced by something heavier.

> we keep seeing people using weak stuff because "it's enough" and "it's
> faster/lighter/..." with the results that you know.

And there is a reason for that.  Right-sizing is also important.  It
isn't good to use a large construction bulldozer when a single shovel
is all that is needed.  If MD5 is the optimal size then it is the
right size to use regardless of vulnerabilities when used in a
security critical role.

> if you're worried about performace, don't hash at all. would you use a
> cesar/base64/... ? either you need security and you use an algorithm
> that's not considered broken, or you don't.

You have hit the problem exactly.  If we follow the line of logic you
have presented then we can never hash.  Because there isn't ever going
to be a hash that doesn't ever have collisions.

> > Granted I wouldn't sign a legal document with it any more, but for a
> > private perfect hash of an email address, why not?
>
> it's weak. don't use it anymore. we have many "secure" alternatives, why
> go for "bugward compatibility"?

Until SHA falls too.

Bob
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL for email addresses?

RW-15
In reply to this post by mouss-4
On Thu, 23 Dec 2010 19:31:23 +0100
mouss <[hidden email]> wrote:

> if you're worried about performace, don't hash at all. would you use a
> cesar/base64/... ? either you need security and you use an algorithm
> that's not considered broken, or you don't.

The breaks in md5 would allow an attacker to generate a second email
address that collides with a given address. I don't see how that
compromises anything since presumably the intent is to avoid an
attacker inferring an address from a hash.

From the security point of view the scheme itself is far more broken
than md5 is. A secure hash function can only protect addresses that
are both secret and contain a cryptographically secure amount of
entropy.

I'm curious as to the point of this. Phishing/fraud  contact addresses
might be better left to AV software that already have the
infrastructure to push this kind of information without any
side-channel leakage. Abusive marketers use fixed from addresses
but their status is often subjective.  If the intent is to catch lazy
spammers, I think it'll be a very short-term win.
12