#546 DNSBL lookup functionality for ip_restrict

open
5
2008-11-12
2008-11-12
No

One of the features of the current webmail credential phishing campaigns seems to be that the IP addresses used to abuse hijacked accounts are making their way into the popular DNSBLs.

Although it would do nothing to prevent credential theft in the first place, having the option to prevent known spammer IP addresses logging in to Squirrelmail might help mitigate the resulting abuse.

ip_restrict seems like a logical place to put such functionality. There would be considerations regarding how this functionality might be enabled, disabled, and customised (to use DNSBLs of choice and/or local mirrors) of course, but the basic outline would be something like:

// Sample DNSBL lookup test //
include("Net/DNS.php");
$ndr = new Net_DNS_Resolver();
$octets = explode(" ", $remote);
$answer = $ndr->search("$octets[3].$octects[2].$octets[1].$octets[0].sbl.spamhaus.org", "A");
if (! $answer) {
logout_error(_("Attempted connection from blacklisted host denied."));
die();
}

Discussion

  • Paul Lesniewski

    Paul Lesniewski - 2008-11-12

    It may also be appropriate to add this to the Lockout plugin (which can and does block IP addresses, albeit only ones that are being used to brute force the login page).

    However, I think ip_restrict is probably the better place. It could be useful to also add a ! operator to the syntax of the ip_restrict rules to block known addresses or address blocks, so I'll assign this to Jon.

    Thanks for the code sample - I'd be interested to see if it could be implemented (without too much code) without the Pear dependency, but if not, I don't think that's a problem.

    You are always welcome to submit a patch to Jon or the plugins mailing list if Jon doesn't have the time/desire to implement this.

     
  • Paul Lesniewski

    Paul Lesniewski - 2008-11-12
    • assigned_to: nobody --> jangliss
     
  • Jonathan Angliss

    Thanks for the suggestion. I'll take a look at it sometime in the next week or so. I don't believe a requirement on PEAR will be needed. We have similar functionality built into the filters plugin that does DNS lookups against RBLs. It uses the PHP internal DNS functions (gethostbyname()), so I'll probably just pull that functionality over.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks