> From: W B Hacker
> Has anyone here yet caught a Zombie that had a 'proper' PTR RR,
> let alone passed reverse_host_lookup?
Yes. A zombie behind NAT which doesn't block port 25. Common for
small ISP and small businesses in Europe which can get only very small
blocks of IPv4 addresses. Many of such small organizations use
only one external IP-address. Often it has a non-generic PTR.
And even most medium-to-large ISP have much less IP-addresses than clients,
so have to use NAT, and not every one uses hostnames like
host-77-41-56-246.qwerty.ru. For example, one of largest ISP in my city
(population 2.7 million) uses hostnames like made.brander.volia.net or
emblazoned.cover.volia.net (two random words). Each such hostname
is a NAT with hundreds cable-connected win-lusers behind it,
port 25 not blocked.
BTW, if a win-zombie is behind a NAT in a DSL-modem (with embedded
Linux inside), what p0f shows?
