Bugtraq mailing list archives
rbl.shub-inter.net is hosed?
From: Brad Knowles <blk () SKYNET BE>
Date: Thu, 10 Aug 2000 15:08:07 +0200
Folks, It looks like this old RBL-like service is hosed. If you go to <http://www.shub-inter.net/>, you'll note that the web page doesn't appear to have anything to do with the previous anti-spam black lists that this site used to host. Worse, it looks like they set up a wildcard DNS record for *.shub-inter.net pointing to 216.246.45.103 (which doesn't have reverse DNS, by the way ;-). Unfortunately, most MTAs (including postfix and sendmail, I fear) aren't bright enough to distinguish between "real" IP addresses that might be returned and IP addresses that would signify something to an RBL-like application (e.g., 216.246.45.103 versus 127.0.0.2). Instead, they simply check to see if the name is resolvable at all, and if so then they decide that the address is black listed. Take a look at this sequence of DNS queries: || dig @a.root-servers.net. shub-inter.net. any || || ; <<>> DiG 8.2 <<>> @a.root-servers.net. shub-inter.net. any || ; (1 server found) || ;; res options: init recurs defnam dnsrch || ;; got answer: || ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 || ;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 4 || ;; QUERY SECTION: || ;; shub-inter.net, type = ANY, class = IN || || ;; ANSWER SECTION: || shub-inter.net. 2D IN NS NS1.NETHOSTINGLTD.COM. || shub-inter.net. 2D IN NS NS2.NETHOSTINGLTD.COM. || shub-inter.net. 2D IN NS NS3.NETHOSTINGLTD.COM. || shub-inter.net. 2D IN NS NS4.NETHOSTINGLTD.COM. || || ;; AUTHORITY SECTION: || shub-inter.net. 2D IN NS NS1.NETHOSTINGLTD.COM. || shub-inter.net. 2D IN NS NS2.NETHOSTINGLTD.COM. || shub-inter.net. 2D IN NS NS3.NETHOSTINGLTD.COM. || shub-inter.net. 2D IN NS NS4.NETHOSTINGLTD.COM. || || ;; ADDITIONAL SECTION: || NS1.NETHOSTINGLTD.COM. 2D IN A 216.246.56.3 || NS2.NETHOSTINGLTD.COM. 2D IN A 216.246.56.4 || NS3.NETHOSTINGLTD.COM. 2D IN A 216.246.56.5 || NS4.NETHOSTINGLTD.COM. 2D IN A 216.246.56.6 || || ;; Total query time: 98 msec || ;; FROM: bismuth.skynet.be to SERVER: a.root-servers.net. 198.41.0.4 || ;; WHEN: Thu Aug 10 13:58:07 2000 || ;; MSG SIZE sent: 32 rcvd: 241 || || $ dig @ns1.nethostingltd.com. shub-inter.net. soa || ; <<>> DiG 8.2 <<>> @ns1.nethostingltd.com. shub-inter.net. soa || ; (1 server found) || ;; res options: init recurs defnam dnsrch || ;; got answer: || ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 || ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 || ;; QUERY SECTION: || ;; shub-inter.net, type = SOA, class = IN || || ;; ANSWER SECTION: || shub-inter.net. 2h24m IN SOA ns1.nethostingltd.com. dnsadmin.shub-inter.net. ( || 2147483647 ; serial || 18M ; refresh || 6M ; retry || 16h48m ; expiry || 2h24m ) ; minimum || || || ;; AUTHORITY SECTION: || shub-inter.net. 2h24m IN NS ns1.nethostingltd.com. || shub-inter.net. 2h24m IN NS ns2.nethostingltd.com. || shub-inter.net. 2h24m IN NS ns3.nethostingltd.com. || shub-inter.net. 2h24m IN NS ns4.nethostingltd.com. || || || $ dig @ns1.nethostingltd.com. rbl.shub-inter.net. soa || || ; <<>> DiG 8.2 <<>> @ns1.nethostingltd.com. rbl.shub-inter.net. soa || ; (1 server found) || ;; res options: init recurs defnam dnsrch || ;; got answer: || ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 || ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 || ;; QUERY SECTION: || ;; rbl.shub-inter.net, type = SOA, class = IN || || ;; AUTHORITY SECTION: || shub-inter.net. 2h24m IN SOA ns1.nethostingltd.com. dnsadmin.shub-inter.net. ( || 2147483647 ; serial || 18M ; refresh || 6M ; retry || 16h48m ; expiry || 2h24m ) ; minimum || || || ;; Total query time: 183 msec || ;; FROM: bismuth.skynet.be to SERVER: ns1.nethostingltd.com. 216.246.56.3 || ;; WHEN: Thu Aug 10 13:42:24 2000 || ;; MSG SIZE sent: 36 rcvd: 116 || || $ dig @ns1.nethostingltd.com. 999.999.999.999.relayips.rbl.shub-inter.net. || || ; <<>> DiG 8.2 <<>> @ns1.nethostingltd.com. 999.999.999.999.relayips.rbl.shub-inter.net. || ; (1 server found) || ;; res options: init recurs defnam dnsrch || ;; got answer: || ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 || ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 || ;; QUERY SECTION: || ;; 999.999.999.999.relayips.rbl.shub-inter.net, type = A, class = IN || || ;; ANSWER SECTION: || 999.999.999.999.relayips.rbl.shub-inter.net. 2h24m IN A 216.246.45.103 || || ;; AUTHORITY SECTION: || shub-inter.net. 2h24m IN NS ns1.nethostingltd.com. || shub-inter.net. 2h24m IN NS ns2.nethostingltd.com. || shub-inter.net. 2h24m IN NS ns3.nethostingltd.com. || shub-inter.net. 2h24m IN NS ns4.nethostingltd.com. || || ;; Total query time: 172 msec || ;; FROM: bismuth.skynet.be to SERVER: ns1.nethostingltd.com. 216.246.56.3 || ;; WHEN: Thu Aug 10 13:38:26 2000 || ;; MSG SIZE sent: 61 rcvd: 180 Obviously, 999.999.999.999 is a totally bogus IP address, and yet it appears to be "in" the relayips.rbl.shub-inter.net zone. ;-( Anyway, if any of you are using rbl.shub-inter.net, I'd suggest that you stop doing so, or at least look into this problem from your end and decide what action you want to take. Myself, I fear that this would prevent any mail whatsoever from coming into a network, since all IP addresses you could possibly look up would always resolve via the wildcard DNS record back to the same real IP address. ;-( I think this also opens up the issue that this could be used as a denial-of-service attack. Use the methods previously mentioned by Dan Bernstein on this list to cause cache pollution and trick the nameservers at a site into thinking that my machine is the proper owner of rbl.mail-abuse.org. Then put in a wildcard DNS record so that everything that gets looked up is found (and therefore the resulting mail message is rejected). This would be almost as good as getting a site to firewall itself off from it's own router to the outside world. Better yet, you get them (and everyone that would want to send mail to them) to blame someone else, such as the MAPS LLC. -- These are my opinions -- not to be taken as official Skynet policy ====================================================================== Brad Knowles, <blk () skynet be> || Belgacom Skynet SA/NV Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124 Phone/Fax: +32-2-706.13.11/12.49 || B-1140 Brussels http://www.skynet.be || Belgium "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
Current thread:
- rbl.shub-inter.net is hosed? Brad Knowles (Aug 10)
- Re: rbl.shub-inter.net is hosed? Jeffrey H. Johnson (Aug 11)