[dns-operations] ISC SIE, channel 3
michael.monnerie at it-management.at
Thu Feb 7 00:51:40 UTC 2008
On Dienstag, 5. Februar 2008 Paul Vixie wrote:
> from the above, for example, it's possible to learn that the
> following five addresses probably initiated smtp transactions "very
> recently", and could be legit or could be bots: 220.127.116.11,
> 18.104.22.168, 22.214.171.124, 126.96.36.199, and 188.8.131.52.
> we also know that the mailservers whose recursive nameservers'
> upstream query addresses are 184.108.40.206, 220.127.116.11,
> 18.104.22.168, 22.214.171.124, and 126.96.36.199 are not well
> maintained (since they are using a DNS RBL that hasn't worked since
> 1999 or so.) i knew there was a use for query data in SIE, i just
> didn't see it until after i whined about maps.vix.com still getting
> (lots of) queries.
Could we (where "we" means the Good Guys) possibly use such information
to find bots or other bad things? If such results are combined e.g. with
RBLs, they could possibly create more accurate entries, e.g. by looking
at who made a DNS request and SMTP request or whatever.
The question is, whether someone could be trusted enough to get access
to such data, and if they could really make useful results from this
information. I'm thinking about Spamhaus, SpamAssassin, Amavisd and
friends. Maybe some "new invention" can be done from this, like RBL back
in the last millennium.
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0676/846 914 666 .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
// Keyserver: www.keyserver.net Key-ID: 1C1209B4
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 194 bytes
Desc: This is a digitally signed message part.
More information about the dns-operations