Matt Sergeant wrote: > On Sat, 27 Sep 2008 13:56:58 +0200, Diego d'Ambra wrote: >> To me it seems that plugin DNSBL is using Net::DNS bgsend/bgread, but >> is not checking the id of the reply received. >> >> If true this means that an attacker can white- or blacklist any email > > Thinking more about this - since we don't do any "dnswl" type stuff, it > doesn't seem that relevant. > > All the attacker can do is blacklist more emails, which given the > timings surely he can only blacklist his own emails? > > Just a thought - wondering if this really needs to be fixed.
I've extended the async dnsbl plugin to do scoring. It occured to me a few days ago that DNSBLs with negative scores (DNSWLs) should be treated as a hit if they get a timeout or other failure. This has prompted me to comment about checking ids too. The stock one doesn't do scoring, and hence can't do DNSWL. You want my code? You might not like my logging conventions however ;-)
