[wildcard-comments] DNSBL potential disaster
Another potential disaster of Verisign's wildcards or any TLD wildcards is with antispam open-relay blacklists or DNSBL lookups. Mail server software such as sendmail, qmail, postfix, etc, as well as antispam software such as SpamAssassin, can lookup the IP address of the sender against several DNS blacklists such as ordb.org, sorbs.net, etc. The logic is usually something like: if [reverse-ip].dnsbl.sorbs.net exists # server is blacklisted then reject connection If any of those DNSBL domains would expire and replaced with a wildcard, every IP would resolve, causing ALL e-mails from ANY server to be rejected as spam. Some MTA's only reject the connection if the DNSBL returns a particular IP such as 127.0.0.xxx, but older versions only check that the DNSBL IP resolves (e.g. Sendmail 8.9.3 which is still widely used world-wide). |