Yehuda Posted November 15, 2016 Share Posted November 15, 2016 If I remember correctly, spamcop used to recognize private IP addresses as private and throw them out. Now it appears (no idea how long this has been going on) that it is trying DNS resolution on private IP addresses. host 192.168.1.254 = netscreen-dig.ironport.com (cached) netscreen-dig.ironport.com is 192.168.1.254 I wasnt sure the forum is the right place for this, but i couldnt find anywhere else. Link to comment Share on other sites More sharing options...
Lking Posted November 15, 2016 Share Posted November 15, 2016 A Tracking URL would help. Where in the delivery path does this happen? I moved this thread because this would not be a "new feature" but a new problem. Link to comment Share on other sites More sharing options...
Yehuda Posted November 15, 2016 Author Share Posted November 15, 2016 The report I saw this on is https://www.spamcop.net/sc?id=z6332425923zc5dcf71a8dc85a020ff6d1200f7901ccz I can also create a fake report with arbitrary IP addresses: Received: from [192.168.1.254] (helo=wuvb) by aestrada.com with esmtpa (Exim 4.60) (envelope-from <Aratbbvf@outlook.com>) id 1c6dSa-0004Rm-05; Tue, 15 Nov 2016 14:07:54 +0100 Received: from [192.168.1.1] (helo=wuvb) by aestrada.com with esmtpa (Exim 4.60) (envelope-from <Aratbbvf@outlook.com>) id 1c6dSa-0004Rm-05; Tue, 15 Nov 2016 14:07:54 +0100 This gives me: host 192.168.1.254 = netscreen-dig.ironport.com (cached) netscreen-dig.ironport.com is 192.168.1.254 host 192.168.1.1 = juggler-dig.ironport.com (cached) juggler-dig.ironport.com is 192.168.1.1 Link to comment Share on other sites More sharing options...
Lking Posted November 15, 2016 Share Posted November 15, 2016 Thanks for the Tracking URL. What I see is: Quote Received: from [192.168.1.254] (helo=wuvb) by aestrada.com with esmtpa (Exim 4.60) (envelope-from <Aratbbvf@outlook.com>) id 1c6dSa-0004Rm-05; Tue, 15 Nov 2016 14:07:54 +0100 host 192.168.1.254 = netscreen-dig.ironport.com (cached) netscreen-dig.ironport.com is 192.168.1.254 77.27.72.2 not listed in cbl.abuseat.org 77.27.72.2 listed in dnsbl.sorbs.net ( 2 ) 77.27.72.2 is not an MX for s1.fm7.net 77.27.72.2 is not an MX for 2.72.27.77.unassigned.reverse-mundo-r.com 77.27.72.2 is not an MX for aestrada.com 77.27.72.2 is not an MX for s1.fm7.net 192.168.1.254 discarded Who knows why the parser spends time tracking a local IP, or why the logic has changed (intentionally or not), but I think the important thing is the last line "192.168.1.254 discarded" Link to comment Share on other sites More sharing options...
Yehuda Posted November 15, 2016 Author Share Posted November 15, 2016 As a network security researcher, I was just concerned about information leaking out of SpamCop's network that should not be. If it is OK with them, I don't care. Link to comment Share on other sites More sharing options...
Lking Posted November 16, 2016 Share Posted November 16, 2016 Good point. I had that thought about internal architecture too. But as one volunteer to another not much we can do except point out the issue to the powers that be. They do read the forum and you raised the issue. Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.