[SGVLUG] I think I figured out why SpamAssassin things SGVLUG's server is part of botnet

John E. Kreznar jek at ininx.com
Tue May 27 21:07:50 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher Smith <x at xman.org> writes:

> If you look at the message headers for this list, you'll see that the 
> outbound MTA is from 67.43.162.226.

> # host 67.43.162.226
> 226.162.43.67.in-addr.arpa domain name pointer mail.realtybrokeroffice.com.
> # host mail.realtybrokeroffice.com
> mail.realtybrokeroffice.com has address 67.43.162.227

One wonders where the 226 is coming from.  227 itself seems to be
running the name server that's authoritative for the domain but has
no mention of 226[1].  The operating system could be Linux 2.4.X
according to nmap[2], but the MTA is taciturn and does not identify
itself nor give its IP address[3].

[1]

iflig: # dig mx realtybrokeroffice.com @ns1.realtybrokeroffice.com

; <<>> DiG 9.3.4 <<>> mx realtybrokeroffice.com
  @ns1.realtybrokeroffice.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29428
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;realtybrokeroffice.com.                IN      MX

;; ANSWER SECTION:
realtybrokeroffice.com. 86400   IN      MX      10
mail.realtybrokeroffice.com.

;; AUTHORITY SECTION:
realtybrokeroffice.com. 259200  IN      NS
ns1.realtybrokeroffice.com.
realtybrokeroffice.com. 259200  IN      NS
ns2.realtybrokeroffice.com.

;; ADDITIONAL SECTION:
mail.realtybrokeroffice.com. 3600 IN    A       67.43.162.227
ns1.realtybrokeroffice.com. 3600 IN     A       67.43.162.227
ns2.realtybrokeroffice.com. 86400 IN    A       66.245.237.55

;; Query time: 36 msec
;; SERVER: 67.43.162.227#53(67.43.162.227)
;; WHEN: Tue May 27 19:37:12 2008
;; MSG SIZE  rcvd: 356

[2]

iflig: # nmap -P0 -O 67.43.162.227

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-27
20:50 PDT
Warning:  OS detection will be MUCH less reliable because we did not
find at least 1 open and 1 closed TCP port
Interesting ports on 67.43.162.227:
Not shown: 1672 filtered ports
PORT     STATE SERVICE
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
993/tcp  open  imaps
8080/tcp open  http-proxy
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.27
Uptime 292.900 days (since Wed Aug  8 23:15:11 2007)

Nmap finished: 1 IP address (1 host up) scanned in 25.114 seconds

[3]

jek at iflig: $ telnet 67.43.162.227 25
Trying 67.43.162.227...
Connected to 67.43.162.227.
Escape character is '^]'.
220 *****************************************
ehlo ininx.com
502 Error: command not implemented
helo ininx.com
250 mail.realtybrokeroffice.com
help
502 Error: command not implemented
quit
221 Bye
Connection closed by foreign host.


- -- 
 John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>

iD8DBQFIPNprYaR8xUGv7xMRAsPQAJ0epQf3DNAh4WLrfd3RdrUrFWK+IACfQb8f
GoAGNIPfN5e5r6DOp/xmroU=
=KcNk
-----END PGP SIGNATURE-----

More information about the SGVLUG mailing list