Author: W B Hacker Date: To: exim users Subject: Re: [exim] Zombie detection
Lena@??? wrote: >> From: W B Hacker
>
>> Has anyone here yet caught a Zombie that had a 'proper' PTR RR,
>> let alone passed reverse_host_lookup?
>
> Yes. A zombie behind NAT which doesn't block port 25. Common for
> small ISP and small businesses in Europe which can get only very small
> blocks of IPv4 addresses. Many of such small organizations use
> only one external IP-address. Often it has a non-generic PTR.
> And even most medium-to-large ISP have much less IP-addresses than clients,
> so have to use NAT, and not every one uses hostnames like
> host-77-41-56-246.qwerty.ru.
Thanks - that explains the 'why' of the accumulation of so many Eastern European
sources (*qwerty.ru included) in my blocklist.
BUT - ISTR is was placed there becasue of chronic sorbs dynamic-IP RBL hits.
Unlike David, I do a semi-annual *manual* update. OTOH, usually with a broader
brush, such as CIDR ranges.
> For example, one of largest ISP in my city
> (population 2.7 million)
ah, a rural lifestyle...
;-)
(take a maps.google.com look at Hong Kong, Shenzen, the Pearl River delta. Or
Beijing & sputniks)
> uses hostnames like made.brander.volia.net or
> emblazoned.cover.volia.net (two random words). Each such hostname
> is a NAT with hundreds cable-connected win-lusers behind it,
> port 25 not blocked.
They (voila.net) seem to be generating new names and records as fast as spamhaus
can list them. Sad that the ISP doesn't block 25.
(same file looked at for host name and again later for HELO)
>
> BTW, if a win-zombie is behind a NAT in a DSL-modem (with embedded
> Linux inside), what p0f shows?
>
The default will (usually) detect the NAT'ing - and display it, even tries to
tell if it is in ITE (ex: ethernet modem) or separate (just'NAT') along with
hop-count as 'distance':
(all ports...)
93.80.234.42:3378 - Windows 2000 SP4, XP SP1+
-> 203.194.153.81:25 (distance 21, link: (Google/AOL))
123.239.24.34:2574 - Windows 2000 SP2+, XP SP1+ (seldom 98)
-> 203.194.153.81:25 (distance 16, link: ethernet/modem)
More than good enough for my needs, though I am still puzzled that it fails to
detect all connections.
I option some of those details and the OS version 'OFF' as a 'don't care', add a
timestamp, and go for one short line.
(port 25 only)
<Thu May 14 10:46:34 2009> 76.227.64.225:37580 - Linux (NAT!) (up: 178 hrs)
Easier to parse for extraction. ' - Lin' or ' - Win'
But I'm not seeing p04 as something I need to use with Exim - more as a 'now and
then' inspection tool.
I do recommend trialing it, as it has found other things - not just smtp'ish -
that I had not thought to check.
I might apply it, for example, to restrict connections to the 'Prayer' webmail I
use (a very nice bit of kit, 'Prayer' is, BTW).