Nmap Development mailing list archives
Re: dns-blacklist false positive? (list.quorum.to)
From: David Fifield <david () bamsoftware com>
Date: Mon, 12 Mar 2012 14:32:31 -0700
On Mon, Mar 12, 2012 at 10:06:25PM +0100, Patrik Karlsson wrote:
On Sun, Mar 11, 2012 at 6:49 PM, David Fifield <david () bamsoftware com>wrote:I think that unlisted hosts returning 127.0.0.1 is by design, not an error on Quorum's part. My understanding of the service is that you use it to answer the question "should I accept mail from this host?" and their answer could be, "no, because we've never heard of this host and therefore don't think it's a mail server." I tested the host list you sent with wget -O - http://www.spamhaus.org/sbl/listings/chinanet-zj | \ grep -o -P '\d+\.\d+\.\d+\.\d+' | sed -e 's/\.0$/.1/' | \ nmap --script=dns-blacklist -n -sn -Pn -iL - I found an address listed by Quorum, and picked one to test with dig any 169.187.101.202.list.quorum.to. From that response, it appears that there are three cases: 1. Host is listed, and not blocked → NXDOMAIN. 2. Host is listed, and blocked → A 127.0.0.2. 3. Host is not listed → A 127.0.0.1. So, that was a lot of work just to find out that your change is probably correct :) I was afraid that cases (2) and (3) would not be distinguishable. I saw the comment you mentioned, "list.quorum.to [...] incorrectly returns 127.0.0.0 when all is good." That makes me think that the interface might have changed recently from returning 127.0.0.0 for unlisted hosts to returning 127.0.0.1. (And probably also changed from returning 127.0.0.1 to 127.0.0.2 for listed hosts.) Anyway, it looks like that comment and the code under it is obsolete. Would you remove that comment and the code under it, and also add comments describing our current belief of how Quorum works; i.e., the distinction between 127.0.0.1 and 127.0.0.2. David FifieldI updated the documentation, but I'm not seeing any 127.0.0.1 responses? I'm guessing you mean 127.0.0.0 ? All I'm seeing is 127.0.0.0 which is "blocked because it has never been seen to send mail" or 127.0.0.2 which is SPAM.
Thanks. Yes, I probably meant 127.0.0.0. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 09)
- Re: dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 09)
- Re: dns-blacklist false positive? (list.quorum.to) Patrik Karlsson (Mar 11)
- Re: dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 11)
- Re: dns-blacklist false positive? (list.quorum.to) Patrik Karlsson (Mar 12)
- Re: dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 12)
- Re: dns-blacklist false positive? (list.quorum.to) Patrik Karlsson (Mar 11)
- Re: dns-blacklist false positive? (list.quorum.to) David Fifield (Mar 09)