# HG changeset patch # User Carl Byington # Date 1492358812 25200 # Node ID e018ed19a1ccb259a6bd97f89b7975d4ba23ac70 # Parent 067963dc142f752bf1f0c82f86073f3c40c3383c require 3 dots in bare ip addresses diff -r 067963dc142f -r e018ed19a1cc ChangeLog --- a/ChangeLog Thu Mar 30 10:31:23 2017 -0700 +++ b/ChangeLog Sun Apr 16 09:06:52 2017 -0700 @@ -1,3 +1,6 @@ +6.55 2017-04-16 + require 3 dots in bare ip addresses. + 6.54 2017-03-30 document dmarc vs dnsbl dkim/spf. switch to . rather than " " for dkim impossible signer. diff -r 067963dc142f -r e018ed19a1cc NEWS --- a/NEWS Thu Mar 30 10:31:23 2017 -0700 +++ b/NEWS Sun Apr 16 09:06:52 2017 -0700 @@ -1,3 +1,4 @@ +6.55 2017-04-16 require 3 dots in bare ip addresses. 6.54 2017-03-30 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer 6.53 2017-03-17 suppress duplicate calls to acceptable_content(); redirect= in spf 6.52 2017-03-09 document dkim/spf processing, handle a and a: elements diff -r 067963dc142f -r e018ed19a1cc configure.in --- a/configure.in Thu Mar 30 10:31:23 2017 -0700 +++ b/configure.in Sun Apr 16 09:06:52 2017 -0700 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(dnsbl,6.54,carl@five-ten-sg.com) +AC_INIT(dnsbl,6.55,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff -r 067963dc142f -r e018ed19a1cc dnsbl.spec.in --- a/dnsbl.spec.in Thu Mar 30 10:31:23 2017 -0700 +++ b/dnsbl.spec.in Sun Apr 16 09:06:52 2017 -0700 @@ -155,6 +155,9 @@ %changelog +* Sun Apr 16 2017 Carl Byington - 6.55-1 +- require 3 dots in bare ip addresses. + * Thu Mar 30 2017 Carl Byington - 6.54-1 - document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer. diff -r 067963dc142f -r e018ed19a1cc src/dnsbl.cpp --- a/src/dnsbl.cpp Thu Mar 30 10:31:23 2017 -0700 +++ b/src/dnsbl.cpp Sun Apr 16 09:06:52 2017 -0700 @@ -316,9 +316,15 @@ // process, which does the actual dns resolution. if (priv.err) return 0; // cannot ask more questions on this socket. if (maybe_ip && (qtype == ns_t_a)) { - // might be a bare ip address, try this first to avoid dns lookups that may not be needed + int c = 0; + const char q = question; + while (*q) { + if (*q == '.') c++; + q++; + } + // might be a bare IPv4 address, try this first to avoid dns lookups that may not be needed in_addr ip; - if (inet_aton(question, &ip)) { + if ((c == 3) && inet_aton(question, &ip)) { return ip.s_addr; } } diff -r 067963dc142f -r e018ed19a1cc xml/dnsbl.in --- a/xml/dnsbl.in Thu Mar 30 10:31:23 2017 -0700 +++ b/xml/dnsbl.in Sun Apr 16 09:06:52 2017 -0700 @@ -545,7 +545,8 @@ identical to a DMARC reject policy with strict identifier alignment. When doing SPF fallback, DMARC checks SPF based on the rfc5321 envelope from domain. DNSBL checks SPF based on the rfc5322 header - from domain. DMARC does not allow mail from good.example.com to be + from domain, but we ignore mx: and ptr: elements in the txt record. + DMARC does not allow mail from good.example.com to be signed by trusted.example.net - which is a common case. Both Microsoft Office365 and Google run mail for customer domains, but use DKIM signing domains in onmicrosoft.com and gappssmtp.com, which are @@ -955,11 +956,11 @@ # # blacklisting based on header from value - requiring signatures # from an impossible signer. - spammer.domain require_signed " "; + spammer.domain require_signed .; # # whitelisting based on strong spf pass - whitelisted if signed by # an impossible signer (which will never happen) or strong spf pass. - some.domain signed_white " "; + some.domain signed_white .; # # whitelisting based on valid signature or strong spf pass. # some paychex mail is signed, some is unsigned but passes strong spf.