IPBlacklistFilterStrategy not properly querying the DNS RBLs
|Reported by:||Owned by:||Jonas Borgström|
The spam filter IPBlacklistFilterStrategy queries doesn't finalize the dns names to query properly and therefore does only relative lookups.
It queries, for exmaple, for '22.214.171.124.bsb.empty.us' when it should be querying for '126.96.36.199.bsb.empty.us.'
Although this works most of the times it will not if the resolver has zones configured to query for relative lookup in case absolute lookups doesn't yield anything. And one of those zones suddenly starts resolving wildcard.
Suppose you got:
- and a resolv.conf like
domain example.org search example.org example.com
- And example.com will start to resolve wildcard.
Internally queries will be:
- 188.8.131.52.bsb.empty.us. NXDOMAIN
- 184.108.40.206.bsb.empty.us.example.org. NXDOMAIN
- 220.127.116.11.bsb.empty.us.example.com. A 127.0.0.1 ←- OOPS
Hence sandbox/spam-filter/tracspamfilter/filters/ip_blacklist.py@4111#L55 must be modified to:
query(prefix + server.encode('utf-8') + '.')
- or better
from dns.name import from_text query(from_text(prefix + server.encode('utf-8')))
This bug is particularly bad as it might bite you in the arse all of a sudden when some infrastructure changes that you might not have under control.