Nmap Development mailing list archives
Re: dns-blacklist false positive? (list.quorum.to)
From: David Fifield <david () bamsoftware com>
Date: Sun, 11 Mar 2012 10:49:42 -0700
On Sun, Mar 11, 2012 at 10:41:45AM +0100, Patrik Karlsson wrote:
On Fri, Mar 9, 2012 at 8:57 PM, David Fifield <david () bamsoftware com> wrote:On Fri, Mar 09, 2012 at 11:53:18AM -0800, David Fifield wrote:I get this when running dns-blacklist against scanme.nmap.org: Host script results: | dns-blacklist: | SPAM |_ list.quorum.to - SPAM But I did a search using their web interface at http://www.quorum.to/pubsearch, and they have no record of scanme.nmap.org.According to http://www.quorum.to/publicbl.html, a host not in their database is "blocked because it has never been seen to send mail." Maybe we should remove this list then? It's going to report SPAM for virtually all IP addresses.Thanks for finding this David. I checked the source and found some comment about a problem with quorum.to incorrectly returning a 127.0.0.0 when hosts are not listed. I change the code to make sure that the response is not 127.0.0.0 and only then list the host as SPAM. I confirmed this was working by running a few IPs of this list against it: http://www.spamhaus.org/sbl/listings/chinanet-zj It seems to be working as expected and scanme.nmap.org does not turn up as blacklisted anymore. I've committed the change as r28270.
I think that unlisted hosts returning 127.0.0.1 is by design, not an error on Quorum's part. My understanding of the service is that you use it to answer the question "should I accept mail from this host?" and their answer could be, "no, because we've never heard of this host and therefore don't think it's a mail server." I tested the host list you sent with wget -O - http://www.spamhaus.org/sbl/listings/chinanet-zj | \ grep -o -P '\d+\.\d+\.\d+\.\d+' | sed -e 's/\.0$/.1/' | \ nmap --script=dns-blacklist -n -sn -Pn -iL - I found an address listed by Quorum, and picked one to test with dig any 169.187.101.202.list.quorum.to. From that response, it appears that there are three cases: 1. Host is listed, and not blocked → NXDOMAIN. 2. Host is listed, and blocked → A 127.0.0.2. 3. Host is not listed → A 127.0.0.1. So, that was a lot of work just to find out that your change is probably correct :) I was afraid that cases (2) and (3) would not be distinguishable. I saw the comment you mentioned, "list.quorum.to [...] incorrectly returns 127.0.0.0 when all is good." That makes me think that the interface might have changed recently from returning 127.0.0.0 for unlisted hosts to returning 127.0.0.1. (And probably also changed from returning 127.0.0.1 to 127.0.0.2 for listed hosts.) Anyway, it looks like that comment and the code under it is obsolete. Would you remove that comment and the code under it, and also add comments describing our current belief of how Quorum works; i.e., the distinction between 127.0.0.1 and 127.0.0.2. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 09)
- Re: dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 09)
- Re: dns-blacklist false positive? (list.quorum.to) Patrik Karlsson (Mar 11)
- Re: dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 11)
- Re: dns-blacklist false positive? (list.quorum.to) Patrik Karlsson (Mar 12)
- Re: dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 12)
- Re: dns-blacklist false positive? (list.quorum.to) Patrik Karlsson (Mar 11)
- Re: dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 09)