Jeff,

After I hit send on the last message - I suddenly realised what you meant by m4.surbl.org:

[root@mx1 ~]# host m.surbl.org m.surbl.org has address 64.73.0.23 m.surbl.org has address 64.73.128.55 m.surbl.org has address 188.40.23.68 m.surbl.org has address 216.143.70.135

m4 being the 4th host 216.143.70.135 and I can see it's no longer being sent:

[root@mx1 ~]# host m.surbl.org ns100.surbl.org Using domain server: Name: ns100.surbl.org Address: 94.228.131.210#53 Aliases:

m.surbl.org has address 188.40.23.68 m.surbl.org has address 64.73.0.23 m.surbl.org has address 64.73.128.55

But it's still in my cache due to the 1 day TTL on the record, so I've had to restart the cache to prevent the false positives.

Sorry for the noise.

Cheers, Steve.

On 14/03/13 15:39, Steve Freegard wrote:

Hi Jeff,

On 14/03/13 12:36, Jeff Chan wrote:

...

Thanks much Steve, I can duplicate the results, but it's actually for m4.surbl.org and related nameservers. We've undelegated those until they can be fixed.

Just got another report of this:

[root@mx1 ~]# host -a msft.net.multi.surbl.org m.surbl.org. Trying "msft.net.multi.surbl.org" Using domain server: Name: m.surbl.org. Address: 216.143.70.135#53 Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31832 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION: ;msft.net.multi.surbl.org. IN ANY

;; ANSWER SECTION: msft.net.multi.surbl.org. 180 IN A 127.0.0.4 msft.net.multi.surbl.org. 180 IN TXT "on lists [jp], See: http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http:// http://www"

Received 325 bytes from 216.143.70.135#53 in 46 ms

I'm still seeing m.surbl.org in the NS list - I also note that the TTL means that it would take 24 hours for a change to be reflected anyway:

[root@mx1 ~]# dig +trace multi.surbl.org

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> +trace multi.surbl.org ;; global options: printcmd . 6936 IN NS b.root-servers.net. . 6936 IN NS c.root-servers.net. . 6936 IN NS d.root-servers.net. . 6936 IN NS e.root-servers.net. . 6936 IN NS f.root-servers.net. . 6936 IN NS g.root-servers.net. . 6936 IN NS h.root-servers.net. . 6936 IN NS i.root-servers.net. . 6936 IN NS j.root-servers.net. . 6936 IN NS k.root-servers.net. . 6936 IN NS l.root-servers.net. . 6936 IN NS m.root-servers.net. . 6936 IN NS a.root-servers.net. ;; Received 332 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS d0.org.afilias-nst.org. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS c0.org.afilias-nst.info. ;; Received 435 bytes from 192.228.79.201#53(b.root-servers.net) in 43 ms

surbl.org. 86400 IN NS ns100.surbl.org. surbl.org. 86400 IN NS ns101.surbl.org. surbl.org. 86400 IN NS ns200.surbl.org. surbl.org. 86400 IN NS ns201.surbl.org. surbl.org. 86400 IN NS ns300.surbl.org. surbl.org. 86400 IN NS ns301.surbl.org. surbl.org. 86400 IN NS ns302.surbl.org. ;; Received 341 bytes from 199.249.120.1#53(b2.org.afilias-nst.org) in 23 ms

multi.surbl.org. 86400 IN NS l.surbl.org. multi.surbl.org. 86400 IN NS h.surbl.org. multi.surbl.org. 86400 IN NS b.surbl.org. multi.surbl.org. 86400 IN NS c.surbl.org. multi.surbl.org. 86400 IN NS k.surbl.org. multi.surbl.org. 86400 IN NS f.surbl.org. multi.surbl.org. 86400 IN NS a.surbl.org. multi.surbl.org. 86400 IN NS i.surbl.org. multi.surbl.org. 86400 IN NS n.surbl.org. multi.surbl.org. 86400 IN NS g.surbl.org. multi.surbl.org. 86400 IN NS m.surbl.org. multi.surbl.org. 86400 IN NS j.surbl.org. multi.surbl.org. 86400 IN NS e.surbl.org. multi.surbl.org. 86400 IN NS d.surbl.org. ;; Received 481 bytes from 94.228.131.210#53(ns100.surbl.org) in 123 ms

multi.surbl.org. 180 IN SOA dev.null. zone.surbl.org. 1363274558 180 180 604800 180 ;; Received 82 bytes from 211.29.132.122#53(l.surbl.org) in 190 ms

I also notice the zone serial is different across some of the mirrors (not sure if this is normal or not):

[root@mx1 ~]# for i in `echo a b c d e f g h i j k l m n`; do echo -en "$i.surbl.org: "; host -t SOA multi.surbl.org $i.surbl.org | tail -n1; done a.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275315 180 180 604800 180 b.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180 c.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275139 180 180 604800 180 d.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275315 180 180 604800 180 e.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275315 180 180 604800 180 f.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275139 180 180 604800 180 g.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180 h.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180 i.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180 j.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275139 180 180 604800 180 k.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275105 180 180 604800 180 l.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275139 180 180 604800 180 m.surbl.org: Host multi.surbl.org not found: 5(REFUSED) n.surbl.org: multi.surbl.org has SOA record dev.null. zone.surbl.org. 1363275171 180 180 604800 180

Cheers, Steve.