[dns-operations] ISC SIE, channel 3

Michael Monnerie michael.monnerie at it-management.at
Thu Feb 7 00:51:40 UTC 2008


On Dienstag, 5. Februar 2008 Paul Vixie wrote:
> from the above, for example, it's possible to learn that the
> following five addresses probably initiated smtp transactions "very
> recently", and could be legit or could be bots: 71.191.253.206,
> 201.250.127.215, 211.202.63.201, 59.182.102.6, and 208.189.239.204.
>  we also know that the mailservers whose recursive nameservers'
> upstream query addresses are 64.62.206.10, 194.246.101.39,
> 81.109.162.29, 207.218.192.64, and 12.172.248.67 are not well
> maintained (since they are using a DNS RBL that hasn't worked since
> 1999 or so.)  i knew there was a use for query data in SIE, i just
> didn't see it until after i whined about maps.vix.com still getting
> (lots of) queries.

Could we (where "we" means the Good Guys) possibly use such information 
to find bots or other bad things? If such results are combined e.g. with 
RBLs, they could possibly create more accurate entries, e.g. by looking 
at who made a DNS request and SMTP request or whatever.

The question is, whether someone could be trusted enough to get access 
to such data, and if they could really make useful results from this 
information. I'm thinking about Spamhaus, SpamAssassin, Amavisd and 
friends. Maybe some "new invention" can be done from this, like RBL back 
in the last millennium.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0676/846 914 666                      .network.your.ideas.
// PGP Key:         "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: www.keyserver.net                   Key-ID: 1C1209B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20080207/55e2e03c/attachment.sig>


More information about the dns-operations mailing list