Perl regular expression RBL DNS server
While studying various spam-fighting techniques, it has started to become
clear to me that the correct solution is (and has always been) stopping
spam from even entering your network. This means blocking email at the
front door and rejecting anything from identified IP addresses.
"Realtime Blackhole Lists" are managed via DNS queries. They act like
standard "in-addr.arpa" lookups, but use a different domain, and look up
"A" records instead of "PTR" records. If a record is found as "127.0.0.2"
then the IP address is considered to be part of that RBL. Sendmail and
many other MTAs support arbitrary RBLs.
RBLs are built usually by hand, and list individual IP addresses, and
sometimes whole network segments. This is difficult to maintain, and
while looking at the lists of hosts sending me email, it became obvious
that two major patterns existed for hosts that sent spam:
It seemed to me that a simple set of regular expressions could flag
almost 85% of the hosts, and I set out to find a way to use regexs as
- Have no DNS name (DNS queries return 'NXDOMAIN').
- Hosts with IP, MAC, or inventory numbers encoded in their name.
As it turns out, there didn't appear to be any regex-based DNS servers,
which makes sense, considering all DNS servers are written to serve
specific information. RBLs are just kind of a hack, piggybacking on the
DNS protocols. Lucky for me, Perl has some excellent DNS server modules
already written. I just had to harness their power, and hook up
- Finish ip to name to ip spoof checking.
- Handle in-addr.arpa aliases for sub-class-C splits.
- Break configuration and regexs out into a config file.
- Create a report-generating tool to produce dialy lookup, pass, and
reject statistics (like trustic.com did).
- Version 0.001 of reresolv, the regex RBL DNS
seriver written in Perl.
- A quick RBL checking tool written in Perl.
- A patch to Net::DNSServer to
make the DEBUG log_file output optional.
$Id: index.html,v 1.3 2003/08/10 10:22:56 nemesis Exp $