Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

rbl.shub-inter.net is hosed?

From: Brad Knowles <blk () SKYNET BE>
Date: Thu, 10 Aug 2000 15:08:07 +0200
Folks,

        It looks like this old RBL-like service is hosed.  If you go to
<http://www.shub-inter.net/>, you'll note that the web page doesn't
appear to have anything to do with the previous anti-spam black lists
that this site used to host.

        Worse, it looks like they set up a wildcard DNS record for
*.shub-inter.net pointing to 216.246.45.103 (which doesn't have
reverse DNS, by the way ;-).

        Unfortunately, most MTAs (including postfix and sendmail, I fear)
aren't bright enough to distinguish between "real" IP addresses that
might be returned and IP addresses that would signify something to an
RBL-like application (e.g., 216.246.45.103 versus 127.0.0.2).
Instead, they simply check to see if the name is resolvable at all,
and if so then they decide that the address is black listed.

        Take a look at this sequence of DNS queries:

|| dig @a.root-servers.net. shub-inter.net. any
||
|| ; <<>> DiG 8.2 <<>> @a.root-servers.net. shub-inter.net. any
|| ; (1 server found)
|| ;; res options: init recurs defnam dnsrch
|| ;; got answer:
|| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
|| ;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 4
|| ;; QUERY SECTION:
|| ;;      shub-inter.net, type = ANY, class = IN
||
|| ;; ANSWER SECTION:
|| shub-inter.net.         2D IN NS        NS1.NETHOSTINGLTD.COM.
|| shub-inter.net.         2D IN NS        NS2.NETHOSTINGLTD.COM.
|| shub-inter.net.         2D IN NS        NS3.NETHOSTINGLTD.COM.
|| shub-inter.net.         2D IN NS        NS4.NETHOSTINGLTD.COM.
||
|| ;; AUTHORITY SECTION:
|| shub-inter.net.         2D IN NS        NS1.NETHOSTINGLTD.COM.
|| shub-inter.net.         2D IN NS        NS2.NETHOSTINGLTD.COM.
|| shub-inter.net.         2D IN NS        NS3.NETHOSTINGLTD.COM.
|| shub-inter.net.         2D IN NS        NS4.NETHOSTINGLTD.COM.
||
|| ;; ADDITIONAL SECTION:
|| NS1.NETHOSTINGLTD.COM.  2D IN A         216.246.56.3
|| NS2.NETHOSTINGLTD.COM.  2D IN A         216.246.56.4
|| NS3.NETHOSTINGLTD.COM.  2D IN A         216.246.56.5
|| NS4.NETHOSTINGLTD.COM.  2D IN A         216.246.56.6
||
|| ;; Total query time: 98 msec
|| ;; FROM: bismuth.skynet.be to SERVER: a.root-servers.net.  198.41.0.4
|| ;; WHEN: Thu Aug 10 13:58:07 2000
|| ;; MSG SIZE  sent: 32  rcvd: 241
||
|| $ dig @ns1.nethostingltd.com. shub-inter.net. soa
|| ; <<>> DiG 8.2 <<>> @ns1.nethostingltd.com. shub-inter.net. soa
|| ; (1 server found)
|| ;; res options: init recurs defnam dnsrch
|| ;; got answer:
|| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
|| ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
|| ;; QUERY SECTION:
|| ;;      shub-inter.net, type = SOA, class = IN
||
|| ;; ANSWER SECTION:
|| shub-inter.net.         2h24m IN SOA    ns1.nethostingltd.com.
dnsadmin.shub-inter.net. (
||                                         2147483647      ; serial
||                                         18M             ; refresh
||                                         6M              ; retry
||                                         16h48m          ; expiry
||                                         2h24m )         ; minimum
||
||
|| ;; AUTHORITY SECTION:
|| shub-inter.net.         2h24m IN NS     ns1.nethostingltd.com.
|| shub-inter.net.         2h24m IN NS     ns2.nethostingltd.com.
|| shub-inter.net.         2h24m IN NS     ns3.nethostingltd.com.
|| shub-inter.net.         2h24m IN NS     ns4.nethostingltd.com.
||
||
|| $ dig @ns1.nethostingltd.com. rbl.shub-inter.net. soa
||
|| ; <<>> DiG 8.2 <<>> @ns1.nethostingltd.com. rbl.shub-inter.net. soa
|| ; (1 server found)
|| ;; res options: init recurs defnam dnsrch
|| ;; got answer:
|| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
|| ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
|| ;; QUERY SECTION:
|| ;;      rbl.shub-inter.net, type = SOA, class = IN
||
|| ;; AUTHORITY SECTION:
|| shub-inter.net.         2h24m IN SOA    ns1.nethostingltd.com.
dnsadmin.shub-inter.net. (
||                                         2147483647      ; serial
||                                         18M             ; refresh
||                                         6M              ; retry
||                                         16h48m          ; expiry
||                                         2h24m )         ; minimum
||
||
|| ;; Total query time: 183 msec
|| ;; FROM: bismuth.skynet.be to SERVER: ns1.nethostingltd.com.  216.246.56.3
|| ;; WHEN: Thu Aug 10 13:42:24 2000
|| ;; MSG SIZE  sent: 36  rcvd: 116
||
|| $ dig @ns1.nethostingltd.com. 999.999.999.999.relayips.rbl.shub-inter.net.
||
|| ; <<>> DiG 8.2 <<>> @ns1.nethostingltd.com.
999.999.999.999.relayips.rbl.shub-inter.net.
|| ; (1 server found)
|| ;; res options: init recurs defnam dnsrch
|| ;; got answer:
|| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
|| ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
|| ;; QUERY SECTION:
|| ;;      999.999.999.999.relayips.rbl.shub-inter.net, type = A, class = IN
||
|| ;; ANSWER SECTION:
|| 999.999.999.999.relayips.rbl.shub-inter.net.  2h24m IN A  216.246.45.103
||
|| ;; AUTHORITY SECTION:
|| shub-inter.net.         2h24m IN NS     ns1.nethostingltd.com.
|| shub-inter.net.         2h24m IN NS     ns2.nethostingltd.com.
|| shub-inter.net.         2h24m IN NS     ns3.nethostingltd.com.
|| shub-inter.net.         2h24m IN NS     ns4.nethostingltd.com.
||
|| ;; Total query time: 172 msec
|| ;; FROM: bismuth.skynet.be to SERVER: ns1.nethostingltd.com.  216.246.56.3
|| ;; WHEN: Thu Aug 10 13:38:26 2000
|| ;; MSG SIZE  sent: 61  rcvd: 180

        Obviously, 999.999.999.999 is a totally bogus IP address, and yet
it appears to be "in" the relayips.rbl.shub-inter.net zone.  ;-(


        Anyway, if any of you are using rbl.shub-inter.net, I'd suggest
that you stop doing so, or at least look into this problem from your
end and decide what action you want to take.

        Myself, I fear that this would prevent any mail whatsoever from
coming into a network, since all IP addresses you could possibly look
up would always resolve via the wildcard DNS record back to the same
real IP address.  ;-(


        I think this also opens up the issue that this could be used as a
denial-of-service attack.  Use the methods previously mentioned by
Dan Bernstein on this list to cause cache pollution and trick the
nameservers at a site into thinking that my machine is the proper
owner of rbl.mail-abuse.org.  Then put in a wildcard DNS record so
that everything that gets looked up is found (and therefore the
resulting mail message is rejected).

        This would be almost as good as getting a site to firewall itself
off from it's own router to the outside world.  Better yet, you get
them (and everyone that would want to send mail to them) to blame
someone else, such as the MAPS LLC.

--
  These are my opinions -- not to be taken as official Skynet policy
======================================================================
Brad Knowles, <blk () skynet be>                || Belgacom Skynet SA/NV
Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124
Phone/Fax: +32-2-706.13.11/12.49             || B-1140 Brussels
http://www.skynet.be                         || Belgium

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
    -Benjamin Franklin, Historical Review of Pennsylvania.
Previous By Date Next
Previous By Thread Next

Current thread: