Re: BOTNET IPv6 patch

Sat, 02 Jul 2011 01:11:54 -0700 

On 30.06.2011 13:06 CE(S)T, Matthew Newton wrote:
> On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote:
>>> Received: from sp***ck.di***ie.com ([2001:***::40])
>>>     by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
>>>     (Exim 4.71)
>>>     (envelope-from <L***e@Di***ie.com>)
>>>     id 1Qc0UA-0001R3-DT
>>>     for nospam.list@un***ed.de; Wed, 29 Jun 2011 21:31:44 +0200
>>> X-Spam-Report: Content analysis details:
>>>   0.2 BOTNET                 Relay might be a spambot or virusbot
>>>                      
>>> [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns]
>> Doesn't seem to work. It's a false positive again. And Botnet recognises
>> the incoming IPv6 address as some IPv4 address and reports that one.
> 
> That doesn't look right - unless your munging has really messed it
> up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*"
> 
> Do a dig -x against that IPv4 address, and the 2001:***::40
> address, and see if both have correct PTRs.

I cannot interpret the results:

> $ dig -x 216.191.234.70
> 
> ; <<>> DiG 9.7.0-P1 <<>> -x 216.191.234.70
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22386
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;70.234.191.216.in-addr.arpa. IN      PTR
> 
> ;; AUTHORITY SECTION:
> 234.191.216.in-addr.arpa. 3446        IN      SOA     
> ns1.business.allstream.net. hostmaster.business.allstream.net. 2010030901 
> 3600 900 604800 21600
> 
> ;; Query time: 1 msec
> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
> ;; WHEN: Sat Jul  2 10:02:25 2011
> ;; MSG SIZE  rcvd: 118

and

> $ dig -x 2001:470:8900::40
> 
> ; <<>> DiG 9.7.0-P1 <<>> -x 2001:470:8900::40
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34084
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. IN 
> PTR
> 
> ;; ANSWER SECTION:
> 0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. 
> 3600 IN PTR spock.dilkie.com.
> 
> ;; Query time: 1141 msec
> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
> ;; WHEN: Sat Jul  2 10:02:38 2011
> ;; MSG SIZE  rcvd: 120

(I figured out it's useless to obfuscate addresses and names here as
they're sent over the list as well.)

-- 
Yves Goergen "LonelyPixel" <nospam.l...@unclassified.de>
Visit my web laboratory at http://beta.unclassified.de

Reply via email to