[Dshield] Weird McAfee TXT records?
mooyix at gmail.com
Tue Apr 17 14:08:33 GMT 2007
Does anyone know how to explain this? I saw it wing past one of our
IDS sensors, tripping a check for large DNS packets...
<<>> DiG 9.3.4 <<>> -t TXT qwest.net.phish2.mcafee.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50615
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;qwest.net.phish2.mcafee.com. IN TXT
;; ANSWER SECTION:
qwest.net.phish2.mcafee.com. 2100 IN TXT
;; AUTHORITY SECTION:
phish2.mcafee.com. 32568 IN NS spamrbl2.mcafee.com.
phish2.mcafee.com. 32568 IN NS spamrbl.mcafee.com.
;; Query time: 165 msec
;; SERVER: 220.127.116.11#53(18.104.22.168)
;; WHEN: Tue Apr 17 10:05:20 2007
;; MSG SIZE rcvd: 207
The same works for major ISPs like aol.com, verizon.net, comcast.net,
etc. Other non-ISP sites (eg google.com) return a TXT entry of "not
listed". From the names, I'd guess some sort of anti-phishing / spam
blocking mechanism, but what on earth does it actually do?
More information about the list