[exim] Zombie detection

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Old-Topics: Re: [exim] Sender callout verification on BATV signed addresses
Subject: [exim] Zombie detection
> From: W B Hacker

> Has anyone here yet caught a Zombie that had a 'proper' PTR RR,
> let alone passed reverse_host_lookup?


Yes. A zombie behind NAT which doesn't block port 25. Common for
small ISP and small businesses in Europe which can get only very small
blocks of IPv4 addresses. Many of such small organizations use
only one external IP-address. Often it has a non-generic PTR.
And even most medium-to-large ISP have much less IP-addresses than clients,
so have to use NAT, and not every one uses hostnames like
host-77-41-56-246.qwerty.ru. For example, one of largest ISP in my city
(population 2.7 million) uses hostnames like made.brander.volia.net or
emblazoned.cover.volia.net (two random words). Each such hostname
is a NAT with hundreds cable-connected win-lusers behind it,
port 25 not blocked.

BTW, if a win-zombie is behind a NAT in a DSL-modem (with embedded
Linux inside), what p0f shows?