[SGVLUG] I think I figured out why SpamAssassin things SGVLUG's
server is part of botnet
John E. Kreznar
jek at ininx.com
Tue May 27 21:07:50 PDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher Smith <x at xman.org> writes:
> If you look at the message headers for this list, you'll see that the
> outbound MTA is from 67.43.162.226.
> # host 67.43.162.226
> 226.162.43.67.in-addr.arpa domain name pointer mail.realtybrokeroffice.com.
> # host mail.realtybrokeroffice.com
> mail.realtybrokeroffice.com has address 67.43.162.227
One wonders where the 226 is coming from. 227 itself seems to be
running the name server that's authoritative for the domain but has
no mention of 226[1]. The operating system could be Linux 2.4.X
according to nmap[2], but the MTA is taciturn and does not identify
itself nor give its IP address[3].
[1]
iflig: # dig mx realtybrokeroffice.com @ns1.realtybrokeroffice.com
; <<>> DiG 9.3.4 <<>> mx realtybrokeroffice.com
@ns1.realtybrokeroffice.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29428
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;realtybrokeroffice.com. IN MX
;; ANSWER SECTION:
realtybrokeroffice.com. 86400 IN MX 10
mail.realtybrokeroffice.com.
;; AUTHORITY SECTION:
realtybrokeroffice.com. 259200 IN NS
ns1.realtybrokeroffice.com.
realtybrokeroffice.com. 259200 IN NS
ns2.realtybrokeroffice.com.
;; ADDITIONAL SECTION:
mail.realtybrokeroffice.com. 3600 IN A 67.43.162.227
ns1.realtybrokeroffice.com. 3600 IN A 67.43.162.227
ns2.realtybrokeroffice.com. 86400 IN A 66.245.237.55
;; Query time: 36 msec
;; SERVER: 67.43.162.227#53(67.43.162.227)
;; WHEN: Tue May 27 19:37:12 2008
;; MSG SIZE rcvd: 356
[2]
iflig: # nmap -P0 -O 67.43.162.227
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-27
20:50 PDT
Warning: OS detection will be MUCH less reliable because we did not
find at least 1 open and 1 closed TCP port
Interesting ports on 67.43.162.227:
Not shown: 1672 filtered ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
993/tcp open imaps
8080/tcp open http-proxy
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.27
Uptime 292.900 days (since Wed Aug 8 23:15:11 2007)
Nmap finished: 1 IP address (1 host up) scanned in 25.114 seconds
[3]
jek at iflig: $ telnet 67.43.162.227 25
Trying 67.43.162.227...
Connected to 67.43.162.227.
Escape character is '^]'.
220 *****************************************
ehlo ininx.com
502 Error: command not implemented
helo ininx.com
250 mail.realtybrokeroffice.com
help
502 Error: command not implemented
quit
221 Bye
Connection closed by foreign host.
- --
John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>
iD8DBQFIPNprYaR8xUGv7xMRAsPQAJ0epQf3DNAh4WLrfd3RdrUrFWK+IACfQb8f
GoAGNIPfN5e5r6DOp/xmroU=
=KcNk
-----END PGP SIGNATURE-----
More information about the SGVLUG
mailing list