Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dns-blacklist false positive? (list.quorum.to)

From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 11 Mar 2012 10:41:45 +0100
On Fri, Mar 9, 2012 at 8:57 PM, David Fifield <david () bamsoftware com> wrote:


On Fri, Mar 09, 2012 at 11:53:18AM -0800, David Fifield wrote:

I get this when running dns-blacklist against scanme.nmap.org:

Host script results:
| dns-blacklist:
|   SPAM
|_    list.quorum.to - SPAM

But I did a search using their web interface at
http://www.quorum.to/pubsearch, and they have no record of
scanme.nmap.org.


According to http://www.quorum.to/publicbl.html, a host not in their
database is "blocked because it has never been seen to send mail." Maybe
we should remove this list then? It's going to report SPAM for virtually
all IP addresses.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



Thanks for finding this David. I checked the source and found some comment
about a problem with quorum.to incorrectly returning a 127.0.0.0 when hosts
are not listed. I change the code to make sure that the response is not
127.0.0.0 and only then list the host as SPAM. I confirmed this was working
by running a few IPs of this list against it:
http://www.spamhaus.org/sbl/listings/chinanet-zj

It seems to be working as expected and scanme.nmap.org does not turn up as
blacklisted anymore. I've committed the change as r28270.

Cheers,
Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: