Jump to content

Reporting page revealing internal infrastructure


Yehuda
 Share

Recommended Posts

If I remember correctly, spamcop used to recognize private IP addresses as private and throw them out. Now it appears (no idea how long this has been going on) that it is trying DNS resolution on private IP addresses.

 

host 192.168.1.254 = netscreen-dig.ironport.com (cached)
netscreen-dig.ironport.com is 192.168.1.254

I wasnt sure the forum is the right place for this, but i couldnt find anywhere else.

Link to comment
Share on other sites

The report I saw this on is https://www.spamcop.net/sc?id=z6332425923zc5dcf71a8dc85a020ff6d1200f7901ccz

I can also create a fake report with arbitrary IP addresses:

Received: from [192.168.1.254] (helo=wuvb)
	by aestrada.com with esmtpa (Exim 4.60)
	(envelope-from <Aratbbvf@outlook.com>)
	id 1c6dSa-0004Rm-05; Tue, 15 Nov 2016 14:07:54 +0100
Received: from [192.168.1.1] (helo=wuvb)
	by aestrada.com with esmtpa (Exim 4.60)
	(envelope-from <Aratbbvf@outlook.com>)
	id 1c6dSa-0004Rm-05; Tue, 15 Nov 2016 14:07:54 +0100

This gives me:

host 192.168.1.254 = netscreen-dig.ironport.com (cached)
netscreen-dig.ironport.com is 192.168.1.254

host 192.168.1.1 = juggler-dig.ironport.com (cached)
juggler-dig.ironport.com is 192.168.1.1

 

Link to comment
Share on other sites

Thanks for the Tracking URL.  What I see is:

Quote

 

Received:  from [192.168.1.254] (helo=wuvb) by aestrada.com with esmtpa (Exim 4.60) (envelope-from <Aratbbvf@outlook.com>) id 1c6dSa-0004Rm-05; Tue, 15 Nov 2016 14:07:54 +0100

host 192.168.1.254 = netscreen-dig.ironport.com (cached)
netscreen-dig.ironport.com is 192.168.1.254
77.27.72.2 not listed in cbl.abuseat.org
77.27.72.2 listed in dnsbl.sorbs.net ( 2 )
77.27.72.2 is not an MX for s1.fm7.net
77.27.72.2 is not an MX for 2.72.27.77.unassigned.reverse-mundo-r.com
77.27.72.2 is not an MX for aestrada.com
77.27.72.2 is not an MX for s1.fm7.net

192.168.1.254 discarded

Who knows why the parser spends time tracking a local IP, or why the logic has changed (intentionally or not), but I think the important thing is the last line "192.168.1.254 discarded"

Link to comment
Share on other sites

Good point.  I had that thought about internal architecture too.  But as one volunteer to another not much we can do except point out the issue to the powers that be.  They do read the forum and you raised the issue.  Thanks.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...