You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by mm...@apache.org on 2010/02/18 01:26:01 UTC

svn commit: r911235 - in /spamassassin/trunk/lib/Mail/SpamAssassin: Conf.pm Dns.pm DnsResolver.pm

Author: mmartinec
Date: Thu Feb 18 00:26:01 2010
New Revision: 911235

URL: http://svn.apache.org/viewvc?rev=911235&view=rev
Log:
Bug 6338: Use of Bit 0x20 in DNS Labels to Improve Transaction Identity
(adds 'dns_options dns0x20', allows negation of dns options, off by default)

Modified:
    spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm
    spamassassin/trunk/lib/Mail/SpamAssassin/Dns.pm
    spamassassin/trunk/lib/Mail/SpamAssassin/DnsResolver.pm

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm?rev=911235&r1=911234&r2=911235&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm Thu Feb 18 00:26:01 2010
@@ -1332,13 +1332,30 @@
     }
   });
 
-=item dns_options rotate    (default: empty)
+=item dns_options opts   (default: empty)
 
-If set to 'rotate', this causes SpamAssassin to choose a DNS server at random
+Provides a (whitespace or comma -separated) list of options applying to
+DNS resolving. Available options are 'rotate' and 'dns0x20' (without quotes).
+Option name may be negated by prepending a 'no' (e.g. 'norotate') to
+counteract previously enabled option. The last setting in configuration
+files prevails. By default options 'rotate' and 'dns0x20' are disabled.
+
+Option 'rotate' causes SpamAssassin to choose a DNS server at random
 from all servers listed in C</etc/resolv.conf> every 'dns_test_interval'
 seconds, effectively spreading the load over all currently available DNS
 servers when there are many spamd workers. 
 
+Option 'dns0x20' enables randomization of letters in a DNS query label
+according to draft-vixie-dnsext-dns0x20, decreasing a chance of collisions
+of responses (by chance or by a malicious intent) by increasing spread
+as provided by a 16-bit query ID and up to 16 bits of a port number,
+with additional bits as encoded by flipping case (upper/lower) of letters
+in a query. The number of additional random bits corresponds to the number
+of letters in a query label. Should work reliably with all mainstream
+DNS servers - do not turn on if you see frequent info messages
+"dns: no callback for id:" in the log, or if RBL or URIDNS lookups
+do not work for no apparent reason.
+
 =cut
 
   push (@cmds, {
@@ -1346,11 +1363,13 @@
     type => $CONF_TYPE_HASH_KEY_VALUE,
     code => sub {
       my ($self, $key, $value, $line) = @_;
-      my $allowed_opts = "rotate";
-      
-      foreach my $option (split (/\s+/, $value)) {
-        if ($allowed_opts !~ /^$option$/) { return $INVALID_VALUE; }
-        else { $self->{dns_options}->{$option} = 1; }
+      foreach my $option (split (/[\s,]+/, $value)) {
+        local($1,$2);
+        if (lc($option) =~ /^(no)?(rotate|dns0x20)\z/) {
+          $self->{dns_options}->{$2} = $1 ? 0 : 1;
+        } else {
+          return $INVALID_VALUE;
+        }
       }
     }
   });

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Dns.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Dns.pm?rev=911235&r1=911234&r2=911235&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Dns.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Dns.pm Thu Feb 18 00:26:01 2010
@@ -189,7 +189,7 @@
       $log =~ s/(?<![<([])(https?:\/\/\S+)/<$1>/g;
     }
     elsif ($question->string =~ m/^(\d+)\.(\d+)\.(\d+)\.(\d+)\.(\S+\w)/) {
-      $log = "$4.$3.$2.$1 listed in $5";
+      $log = "$4.$3.$2.$1 listed in ".lc($5);
     }
   }
 

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/DnsResolver.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/DnsResolver.pm?rev=911235&r1=911234&r2=911235&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/DnsResolver.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/DnsResolver.pm Thu Feb 18 00:26:01 2010
@@ -303,6 +303,26 @@
 
 =cut
 
+# implements draft-vixie-dnsext-dns0x20-00
+#
+sub dnsext_dns0x20 {
+  my ($string) = @_;
+  my $rnd;
+  my $have_rnd_bits = 0;
+  my $result = '';
+  for my $ic (unpack("C*",$string)) {
+    if (chr($ic) =~ /^[A-Za-z]\z/) {
+      if ($have_rnd_bits < 1) {
+        $rnd = rand(0x7fffffff);  $have_rnd_bits = 31;
+      }
+      $ic ^= 0x20  if $rnd & 1;  # flip the 0x20 bit in name if dice says so
+      $rnd = $rnd >> 1;  $have_rnd_bits--;
+    }
+    $result .= chr($ic);
+  }
+  return $result;
+}
+
 sub new_dns_packet {
   my ($self, $host, $type, $class) = @_;
 
@@ -317,6 +337,7 @@
   $self->connect_sock_if_reqd();
   my $packet;
   eval {
+    $host = dnsext_dns0x20($host)  if $self->{conf}->{dns_options}->{dns0x20};
     $packet = Net::DNS::Packet->new($host, $type, $class);
 
     # a bit noisy, so commented by default...
@@ -463,8 +484,8 @@
 
       my $cb = delete $self->{id_to_callback}->{$id};
       if (!$cb) {
-        dbg("dns: no callback for id: %s, ignored; packet: %s",
-            $id,  $packet ? $packet->string : "undef" );
+        info("dns: no callback for id: %s, ignored; packet: %s",
+             $id,  $packet ? $packet->string : "undef" );
       } else {
         $cb->($packet, $id, $now);
         $cnt++;