Interesting DNS Behaviour

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Thu Nov 14 18:40:56 UTC 2002 

Thomas H Jones II <ferric at xanthia.com> wrote:
> I know this will probably result in a "well DUH" type of response, but
> I needed to post any way...

> Recently, I received some SPAM emails. While going through the process
> of tracking down who might have actually sent it, i went through the
> following sequence:

> $ whois -h whois.arin.net 66.205.218.24
> E Broadband Now Inc. EBROADBANDNOW (NET-66-205-192-0-1)=20
>                                   66.205.192.0 - 66.205.223.255
> Race Technologies NTBLK-RACE1 (NET-66-205-218-0-1)=20
>                                   66.205.218.0 - 66.205.218.255

> Since the logs indicted that the address may be forged, even though
> it did not show any hostnames:

> 	from mx3.finehost.net ( [66.205.218.24] (may be forged))
>                                ^
> (I didnt immediately notice the " " between the opening paren and the
> opening square bracket). So, I did an nslookup on the IP: =20

>    $ nslookup 66.205.218.24
>    Server:  ns2.xanthia.com
>    Address:  199.248.145.12
>   =20
>    Name:   =20
>    Address:  66.205.218.24

> I was a bit taken aback at this 'null' response. So, i randomly checked
> IPs withing the netblock that the original IP belonged to. Same results.
> I was thinking, "ok, this is odd, maybe I should complain to their DNS
> admins and possibly their parent network provider". Then it occurred to
> me that both netblocks were run by the same people. Sure enough, I chec=
ked
> some IPs in the parent network and got the same behaviour.

> I couldnt immediately figure out why someone would bother to set up
> "PTR ." records for reverse lookups, rather than just leaving them blan=
k.
> Then it occurred to me: some MTA's will refuse to accept emails if they
> cannot get a PTR lookup response. This would allow SPAMmers to get by
> such rules. Further, it would be somewhat challenging to write a regex
> based rule for stopping mails from 'null' sources.

> This all seems RATHER unfriendly. Somehow strikes me that "." should
> not be a valid value for a PTR record.

> So, has anyone else run into this. If so, has anyone come up with a way
> of stomping SPAMs from such unfriendly sources?

Thanks for the report. The cure, of course is the following line in /etc/=
mail/access :
66.205.192/19   471 You seem to spam !



> -tom

> --=20

> "You can only be -so- accurate with a claw-hammer."  --me


--=20
Peter H=E5kanson        =20
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out=
,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list