Author: John W. Baxter Date: To: exim-users Subject: Re: [Exim] Verisign pulls a fast one
On 9/15/2003 17:45, "Gary Palmer" <gjp@???> wrote:
> Verisign is adding wildcard DNS records to all of .com and .net pointing
> to one of their servers "as browsers don't return any useful information
> when the user inputs an unregistered domain". This defeats very nicely
> sender DNS verification as now *all* .com/.net domains are valid.
> (Unless you are insisting on MX records for all domains, which is a
> slight violation of RFC)
>
> I strongly recommend EVERYONE add:
>
> 64.94.110.11
>
> to the 'ignore_target_hosts' directive on any/all dnslookup routers (in
> addition to the RFC 1918 entries that are already there, right? :) )
>
> I'm wondering how long it will take for that IP to start showing up on
> DNSBLs.
Fascinating. The web page probably *is* an improvement over what IE does
with a bad domain name: advance the progress bar in the face of no progress
and then paint a content-free page. If one sticks with a reasonable RCPT
TO: what follows may be an improvement, too.
But some MTA config changes (not just Exim) are clearly going to be needed.
I don't think we need DNSBLs for this one...hard coded ACL should do.
[john@Zeus john]$telnet fripple2.com 25
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com.
Escape character is '^]'.
220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready
ehlo fox.olympus.net
250 OK
mail from: <testtest@???>
250 OK
rcpt to: <testtest@???>
550 User domain does not exist.
[It's an unauthorized relay, Verisign, not a non-existent domain.]
I'm not as upset as when I started this message. It will be interesting to
watch.
And why did I pick fripple2.com? Because fripple.com turned out to exist
when I asked my browser about it. ;-)