Interesting DNS Behaviour
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Thu Nov 14 18:40:56 UTC 2002
Thomas H Jones II <ferric at xanthia.com> wrote:
> I know this will probably result in a "well DUH" type of response, but
> I needed to post any way...
> Recently, I received some SPAM emails. While going through the process
> of tracking down who might have actually sent it, i went through the
> following sequence:
> $ whois -h whois.arin.net 66.205.218.24
> E Broadband Now Inc. EBROADBANDNOW (NET-66-205-192-0-1)=20
> 66.205.192.0 - 66.205.223.255
> Race Technologies NTBLK-RACE1 (NET-66-205-218-0-1)=20
> 66.205.218.0 - 66.205.218.255
> Since the logs indicted that the address may be forged, even though
> it did not show any hostnames:
> from mx3.finehost.net ( [66.205.218.24] (may be forged))
> ^
> (I didnt immediately notice the " " between the opening paren and the
> opening square bracket). So, I did an nslookup on the IP: =20
> $ nslookup 66.205.218.24
> Server: ns2.xanthia.com
> Address: 199.248.145.12
> =20
> Name: =20
> Address: 66.205.218.24
> I was a bit taken aback at this 'null' response. So, i randomly checked
> IPs withing the netblock that the original IP belonged to. Same results.
> I was thinking, "ok, this is odd, maybe I should complain to their DNS
> admins and possibly their parent network provider". Then it occurred to
> me that both netblocks were run by the same people. Sure enough, I chec=
ked
> some IPs in the parent network and got the same behaviour.
> I couldnt immediately figure out why someone would bother to set up
> "PTR ." records for reverse lookups, rather than just leaving them blan=
k.
> Then it occurred to me: some MTA's will refuse to accept emails if they
> cannot get a PTR lookup response. This would allow SPAMmers to get by
> such rules. Further, it would be somewhat challenging to write a regex
> based rule for stopping mails from 'null' sources.
> This all seems RATHER unfriendly. Somehow strikes me that "." should
> not be a valid value for a PTR record.
> So, has anyone else run into this. If so, has anyone come up with a way
> of stomping SPAMs from such unfriendly sources?
Thanks for the report. The cure, of course is the following line in /etc/=
mail/access :
66.205.192/19 471 You seem to spam !
> -tom
> --=20
> "You can only be -so- accurate with a claw-hammer." --me
--=20
Peter H=E5kanson =20
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out=
,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list