[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Is this a Tor exit node connecting to me?
On Mon, 26 Mar 2007, Roger Dingledine wrote:
Matt, can you let us know if setting up sendmail with the
relative-to-your-IP-address approach is just as easy? Are there common
situations where it would make things harder?
While sendmail's default dnsbl() FEATURE, as well as Spamassassin's
check_rbl_sub() do not have the flexibility to append the port
information to the query (IE, seeing if the connecting host is in
the list _and_ is allowing exits onport 25), it could possibly be
easy to add similar functions that do.
The problem is that they aren't shipped by default, and the dnsbl
lookup functions that do will likely be (ab)used to check the tor
dnsbl and make decisions based on simply whether a host is present.
Possibly the easiest and friendliest way to cope would be to provide
additional dnsbl views by port for interesting ports; perhaps zones
such as 25.exit.dnsbl.zone or 80.exit.dnsbl.zone. This would allow
existing software to easily perform a lookup without risking the binary
And while I'm asking, we could imagine setting up a dnsbl that looks
at what IP address is asking the question, and answers relative to that
address. Thus people in Matt's situation could just plug it in, and it
would internally do what we all mean.
Not sure what's relative to the query source here. We're presumably
looking to see if a host is a tor node and whether it's policy
allows exit of an arbitrary port, right? None of that AFAIK is
dependent on who's asking.
I can see some downsides though --
if the client querying the dnsbl is on a very different address than
the service, or if proxying dns queries (or passing recursive queries)
is commonplace. I suspect a few 'no, that wouldn't work' responses should
be sufficient to discard this paragraph. :)
It would also be computationally hard :)
Moral indignation is a technique to endow the idiot with dignity.
- Marshall McLuhan