[Dshield] Weird McAfee TXT records?

Brendan Dolan-Gavitt mooyix at gmail.com
Tue Apr 17 14:08:33 GMT 2007


Does anyone know how to explain this? I saw it wing past one of our
IDS sensors, tripping a check for large DNS packets...

<<>> DiG 9.3.4 <<>> -t TXT qwest.net.phish2.mcafee.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50615
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;qwest.net.phish2.mcafee.com.   IN      TXT

;; ANSWER SECTION:
qwest.net.phish2.mcafee.com. 2100 IN    TXT
"1-.0ISk3HAPfQJFG0r9NptlVpMJHMyLfvniQO0qzbNfLlFv-KP1.2WXdP32MXvP3JiOnT1nhb5a1pMmovD2Ihrqzxjubvxu4Litp.Y3V"

;; AUTHORITY SECTION:
phish2.mcafee.com.      32568   IN      NS      spamrbl2.mcafee.com.
phish2.mcafee.com.      32568   IN      NS      spamrbl.mcafee.com.

;; Query time: 165 msec
;; SERVER: 129.83.20.47#53(129.83.20.47)
;; WHEN: Tue Apr 17 10:05:20 2007
;; MSG SIZE  rcvd: 207

The same works for major ISPs like aol.com, verizon.net, comcast.net,
etc. Other non-ISP sites (eg google.com) return a TXT entry of "not
listed". From the names, I'd guess some sort of anti-phishing / spam
blocking mechanism, but what on earth does it actually do?

-Brendan


More information about the list mailing list