On Sat, 27 Sep 2008 13:56:58 +0200, Diego d'Ambra wrote: > To me it seems that plugin DNSBL is using Net::DNS bgsend/bgread, but > is not checking the id of the reply received. > > If true this means that an attacker can white- or blacklist any email > by sending fake dns replies (only randomisation is source port). > Furthermore any other application on same machine also doing dns > lookup may end up using same source port and have it's replies being > mixed with those plugin DNSBL is waiting for. > > Spamassassin is also using Net::DNS bgsend/bgread, but does verify if > the dns answer id matched the request. > > Maybe Net::DNS requires the caller to do the validation, or did I > miss something? > > I'm working on a way to test this, but would love to hear others > opinion, before doing to much work for maybe nothing :-)
I'm pretty sure you're probably right. The async version uses ParaDNS which does do the id checking. (we should probably do 0x20 checking too, but I think that's beyond my skill levels :-/ )
