Re: dns-blacklist false positive? (list.quorum.to)

[David Fifield <david () bamsoftware com>]

On Sun, Mar 11, 2012 at 10:41:45AM +0100, Patrik Karlsson wrote:
> On Fri, Mar 9, 2012 at 8:57 PM, David Fifield <david () bamsoftware com> wrote:
>
> > On Fri, Mar 09, 2012 at 11:53:18AM -0800, David Fifield wrote:
> > > I get this when running dns-blacklist against scanme.nmap.org:
> > >
> > > Host script results:
> > > | dns-blacklist:
> > > |   SPAM
> > > |_    list.quorum.to - SPAM
> > >
> > > But I did a search using their web interface at
> > > http://www.quorum.to/pubsearch, and they have no record of
> > > scanme.nmap.org.
> >
> > According to http://www.quorum.to/publicbl.html, a host not in their
> > database is "blocked because it has never been seen to send mail." Maybe
> > we should remove this list then? It's going to report SPAM for virtually
> > all IP addresses.
>
> Thanks for finding this David. I checked the source and found some comment
> about a problem with quorum.to incorrectly returning a 127.0.0.0 when hosts
> are not listed. I change the code to make sure that the response is not
> 127.0.0.0 and only then list the host as SPAM. I confirmed this was working
> by running a few IPs of this list against it:
> http://www.spamhaus.org/sbl/listings/chinanet-zj
>
> It seems to be working as expected and scanme.nmap.org does not turn up as
> blacklisted anymore. I've committed the change as r28270.

I think that unlisted hosts returning 127.0.0.1 is by design, not an
error on Quorum's part. My understanding of the service is that you use
it to answer the question "should I accept mail from this host?" and
their answer could be, "no, because we've never heard of this host and
therefore don't think it's a mail server."

I tested the host list you sent with

wget -O - http://www.spamhaus.org/sbl/listings/chinanet-zj | \
        grep -o -P '\d+\.\d+\.\d+\.\d+' | sed -e 's/\.0$/.1/' | \
        nmap --script=dns-blacklist -n -sn -Pn -iL -

I found an address listed by Quorum, and picked one to test with

dig any 169.187.101.202.list.quorum.to.

From that response, it appears that there are three cases:

1. Host is listed, and not blocked → NXDOMAIN.
2. Host is listed, and blocked → A 127.0.0.2.
3. Host is not listed → A 127.0.0.1.

So, that was a lot of work just to find out that your change is probably
correct :) I was afraid that cases (2) and (3) would not be
distinguishable. I saw the comment you mentioned, "list.quorum.to [...]
incorrectly returns 127.0.0.0 when all is good." That makes me think
that the interface might have changed recently from returning 127.0.0.0
for unlisted hosts to returning 127.0.0.1. (And probably also changed
from returning 127.0.0.1 to 127.0.0.2 for listed hosts.) Anyway, it
looks like that comment and the code under it is obsolete.

Would you remove that comment and the code under it, and also add
comments describing our current belief of how Quorum works; i.e., the
distinction between 127.0.0.1 and 127.0.0.2.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/