[Dshield] Weird McAfee TXT records?

Brendan Dolan-Gavitt mooyix at gmail.com
Tue Apr 17 14:08:33 GMT 2007

Does anyone know how to explain this? I saw it wing past one of our
IDS sensors, tripping a check for large DNS packets...

<<>> DiG 9.3.4 <<>> -t TXT qwest.net.phish2.mcafee.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50615
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;qwest.net.phish2.mcafee.com.   IN      TXT

qwest.net.phish2.mcafee.com. 2100 IN    TXT

phish2.mcafee.com.      32568   IN      NS      spamrbl2.mcafee.com.
phish2.mcafee.com.      32568   IN      NS      spamrbl.mcafee.com.

;; Query time: 165 msec
;; WHEN: Tue Apr 17 10:05:20 2007
;; MSG SIZE  rcvd: 207

The same works for major ISPs like aol.com, verizon.net, comcast.net,
etc. Other non-ISP sites (eg google.com) return a TXT entry of "not
listed". From the names, I'd guess some sort of anti-phishing / spam
blocking mechanism, but what on earth does it actually do?


More information about the list mailing list