There are sites which return with IP addresses to dns lookups, but which report as "not blacklisted" when I submit them to the lookup web page.
For example,
% dig +short twitter.com.multi.surbl.org 4.36.66.178 % dig +short test.surbl.org.multi.surbl.org 127.0.0.126
But when I enter twitter.com into http://george.surbl.org/lookup.html, it says "twitter.com is not blacklisted" in a green box. Same for test.surbl.org.
What am I missing?
Chip C Toronto
Your DNS is being corrupted. twitter.com is not blacklisted, and 4.36.66.178 is not a valid result. As long as your mail filter is not using these corrupted nameservers, then it's not an issue.
Please see:
http://www.surbl.org/faq.html#opendns
http://www.surbl.org/faq.html#dnsproxy
http://www.surbl.org/lists.html#multi
The easiest answer is to run your own nameserver on your mail filter. Most operating systems can support this.
On 6/2/09, Chip Campbell chipc@uhnresearch.ca wrote:
There are sites which return with IP addresses to dns lookups, but which report as "not blacklisted" when I submit them to the lookup web page.
For example,
% dig +short twitter.com.multi.surbl.org 4.36.66.178 % dig +short test.surbl.org.multi.surbl.org 127.0.0.126
But when I enter twitter.com into http://george.surbl.org/lookup.html, it says "twitter.com is not blacklisted" in a green box. Same for test.surbl.org.
What am I missing?
Chip C Toronto _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Hi!
There are sites which return with IP addresses to dns lookups, but which report as "not blacklisted" when I submit them to the lookup web page.
For example,
% dig +short twitter.com.multi.surbl.org 4.36.66.178 % dig +short test.surbl.org.multi.surbl.org 127.0.0.126
But when I enter twitter.com into http://george.surbl.org/lookup.html, it says "twitter.com is not blacklisted" in a green box. Same for test.surbl.org.
What am I missing?
If you get -anything- else back then 127.0.* as an answer to your request you seriously have to ask what your DNS provider is doing. Since there is nothing else in the zonefiles.
Bye, Raymond.
Thanks, Raymond and Jeff.
Yes, it's weirdness in the dns, but it's not local to our site (we do run our own dns servers).
Here are two queries executed at the main nameservers at the University of Toronto:
$ dig +short @128.100.100.128 twitter.com.multi.surbl.org 4.36.66.178 $ dig +short @128.100.102.201 twitter.com.multi.surbl.org 202.106.1.2
And here's two executed at York University, also in Toronto:
$ dig +short @130.63.168.21 twitter.com.multi.surbl.org 216.234.179.13 $ dig +short @130.63.237.99 twitter.com.multi.surbl.org 203.161.230.171
Meanwhile, of our two nameservers, we've determined that only the one that our spam appliance was hitting had the bad result cached; the other was returing null for twitter. I've pointed our spam appliance at the clean one. Also, a neighbouring institution, who are likely not doing surbl lookups, gets clean results. It's safe to assume that one or more groups within York and U of T are doing surbl lookups.
I'm thinking this suggests that for a while earlier today (these answers are coming with ttl values up to 60000 sec) someone successfully injected some bogusness into surbl.org's resolutions. When I do dig +trace, I get correct results, so the wrongness is only in the cache.
I'd be pleased to do some more digs on these hosts if you'd like. I have *no* admin-level access to their nameservers, though.
Chip
(PS I still don't understand why I get a negative result when I type test.surbl.org into the lookup page.)
-----Original Message----- From: discuss-bounces@lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Raymond Dijkxhoorn Sent: June 2, 2009 13:14 To: SURBL Discussion list Subject: Re: [SURBL-Discuss] Lookup web page not showing blacklisted urls?
Hi!
There are sites which return with IP addresses to dns
lookups, but which
report as "not blacklisted" when I submit them to the
lookup web page.
For example,
% dig +short twitter.com.multi.surbl.org 4.36.66.178 % dig +short test.surbl.org.multi.surbl.org 127.0.0.126
But when I enter twitter.com into
http://george.surbl.org/lookup.html,
it says "twitter.com is not blacklisted" in a green box. Same for test.surbl.org.
What am I missing?
If you get -anything- else back then 127.0.* as an answer to your request you seriously have to ask what your DNS provider is doing. Since there is nothing else in the zonefiles.
Bye, Raymond. _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Chip Campbell wrote:
Thanks, Raymond and Jeff.
Yes, it's weirdness in the dns, but it's not local to our site (we do run our own dns servers).
Here are two queries executed at the main nameservers at the University of Toronto:
$ dig +short @128.100.100.128 twitter.com.multi.surbl.org 4.36.66.178 $ dig +short @128.100.102.201 twitter.com.multi.surbl.org 202.106.1.2
And here's two executed at York University, also in Toronto:
$ dig +short @130.63.168.21 twitter.com.multi.surbl.org 216.234.179.13 $ dig +short @130.63.237.99 twitter.com.multi.surbl.org 203.161.230.171
I confirm...
[martins@localhost ~]$ host twitter.com.multi.surbl.org. Host twitter.com.multi.surbl.org. not found: 3(NXDOMAIN) [martins@localhost ~]$ host twitter.com.multi.surbl.org. twitter.com.multi.surbl.org has address 209.145.54.50 Host twitter.com.multi.surbl.org not found: 3(NXDOMAIN) Host twitter.com.multi.surbl.org not found: 3(NXDOMAIN) [martins@localhost ~]$ host twitter.com.multi.surbl.org. Host twitter.com.multi.surbl.org. not found: 3(NXDOMAIN) [martins@localhost ~]$ host twitter.com.multi.surbl.org. twitter.com.multi.surbl.org has address 203.161.230.171 Host twitter.com.multi.surbl.org not found: 3(NXDOMAIN) Host twitter.com.multi.surbl.org not found: 3(NXDOMAIN) [martins@localhost ~]$ host twitter.com.multi.surbl.org.| grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN twitter.com.multi.surbl.org has address 211.94.66.147 [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN twitter.com.multi.surbl.org has address 216.234.179.13 [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN twitter.com.multi.surbl.org has address 216.234.179.13 [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN twitter.com.multi.surbl.org has address 211.94.66.147 [martins@localhost ~]$
Hi!
And here's two executed at York University, also in Toronto:
$ dig +short @130.63.168.21 twitter.com.multi.surbl.org 216.234.179.13 $ dig +short @130.63.237.99 twitter.com.multi.surbl.org 203.161.230.171
I confirm...
[martins@localhost ~]$ host twitter.com.multi.surbl.org. Host twitter.com.multi.surbl.org. not found: 3(NXDOMAIN) [martins@localhost ~]$ host twitter.com.multi.surbl.org. twitter.com.multi.surbl.org has address 209.145.54.50 Host twitter.com.multi.surbl.org not found: 3(NXDOMAIN) Host twitter.com.multi.surbl.org not found: 3(NXDOMAIN) [martins@localhost ~]$ host twitter.com.multi.surbl.org. Host twitter.com.multi.surbl.org. not found: 3(NXDOMAIN) [martins@localhost ~]$ host twitter.com.multi.surbl.org. twitter.com.multi.surbl.org has address 203.161.230.171 Host twitter.com.multi.surbl.org not found: 3(NXDOMAIN) Host twitter.com.multi.surbl.org not found: 3(NXDOMAIN)
twitter.com.multi.surbl.org has address 216.234.179.13 [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN [martins@localhost ~]$ host twitter.com.multi.surbl.org. | grep -v NXDOMAIN twitter.com.multi.surbl.org has address 211.94.66.147 [martins@localhost ~]$
Allmost sounds like either a broken DNS somewhere or ... cache poisoning.
Would be interesting to check this with a capture running so you see whaqt server is telling this.
Bye, Raymond.
Hi!
[martins@localhost ~]$ host twitter.com.multi.surbl.org.
There is a problem with one of the surbl.org DNS servers.
surbl.org nameservers, or multi.surbl.org nameservers? Two different things.
For the first i dont see issues, for the second, its only rbldnsd servers so wonder how this could be....
Bye, Raymond.
Hi!
There is a problem with one of the surbl.org DNS servers.
surbl.org nameservers, or multi.surbl.org nameservers? Two different things.
For the first i dont see issues, for the second, its only rbldnsd servers so wonder how this could be....
Most likely narrowed down to a broken nameserver, we will remove it from the pool.
[root@shout10 ~]# host 123.125.50.246 246.50.125.123.in-addr.arpa domain name pointer m50-246.163.com.
[root@shout10 ~]# host twitter.com.multi.surbl.org 123.125.50.246 Using domain server: Name: 123.125.50.246 Address: 123.125.50.246#53 Aliases:
twitter.com.multi.surbl.org has address 202.181.7.85 twitter.com.multi.surbl.org has address 202.106.1.2 ;; Got bad packet: bad label type 88 bytes cc f4 85 80 00 01 00 01 00 00 00 00 07 74 77 69 74 74 65 72 03 63 6f 6d 05 6d 75 6c 74 69 05 73 75 72 62 6c 03 6f 72 67 00 00 0f 00 01 07 74 77 69 74 74 65 72 03 63 6f 6d 05 6d 75 6c 74 69 05 73 75 72 62 6c 03 6f 72 67 00 00 0f 00 01 00 01 51 80 00 04 04 24 42 b2
So able to reproduce this. But its depending what machine you are using, what reply you get. On some if get random results, on others i get nxdomain, on this exact same server.
Bye, Raymond.