Seth Woolley's Blog

Occasional Musings

dns blacklists, spam control, and net neutrality(0)

Critique

On four occassions in the past month I've sent email and had it bounce back due to DNS blacklists (most specifically SORBS) since I send email from a cable modem range.  These four instances were:

  • A university in Greece, while sending email to a professor.
  • A university in the Czech Republic, another to a professor.
  • A smaller email service provider to another Source Mage developer.
  • A custom email service provider in Portland.  I re-sent the email from another account, but received no reply as well.

What particularly disturbs me is that these methods have not merely decided to block based on a series of factors, but on an entire class of users.  The whole debate about a neutral net has broken down with the email system.  Users who can administer their own boxes have no way out of the blacklist, even by request, from SORBS.  SORBS, thus, exists only to serve corporate interests who want to Balkanize the web into classes of "pay extra" and "users who shall have no democratizing force".

If a user wants to use a blacklist, that's fine.  But most of these people having their email blacklisted have no idea what is going on.

More thoughts on blacklists can be found here:

http://www.faqs.org/ftp/internet-drafts/draft-church-dnsbl-harmful-01\
.txt

Example

In one case, I was attempting to notify the person of a security vulnerability in some of their code.  Since the IT department of the university is responsible for this blacklisting and they are also directly responsible for the security of said network and I have no way to communicate with them, I will simply publish the results for all to see here:

http://swoolley.org/man.cgi/man

Read the first paragraph -- how it points out that arguments containing a / are interpreted as files.  My manual page viewer does not have this problem because I knew man had this behavior.

http://www.softlab.ntua.gr/cgi-bin/man-cgi?man

Oddly, no mention is made in the above manual.

Exploit

http://www.softlab.ntua.gr/cgi-bin/man-cgi?/etc/passwd

So we can do something like the above url -- since he had no idea it did that, despite this package being a rewrite.

I sent the author an email notifying of this, but, SORBS blacklisted my email.  Thanks to SORBS, you all have first-disclosure.

Seth Woolley's Blog politics security

Leave A Comment

Secret is used for editing your own comment. If subject, secret, and name all are the same as a previous comment, it will be overwritten. Turing is the name of this program (look at the Source Code link on the front page), used to see if you are human.