[Dshield] Weird McAfee TXT records?

Stasiniewicz, Adam stasinia at msoe.edu
Tue Apr 17 14:33:19 GMT 2007


That does look like something related to spam filtering, though I am not familiar with this format.  But realize that TXT record (though not in this format) are used for sender based email filtering.  For instance take at look at the TXT records of aol.com. (they have both version 1 and 2 SPF records).  Or _domainkeys.yahoo.com (DKIM is a slightly more obscure method of sender verification).  
 
But again, though I am not sure the DNS server hosting the record is called "spamrbl", so that tells me it is probably related to spam filtering.  Maybe it is operating like a SURBL?  In that it filters "bad" domain names?  Though again, that is not the format the SURBL is in...
 
Hope that helps,
Adam Stasiniewicz

________________________________

From: list-bounces at lists.dshield.org on behalf of Brendan Dolan-Gavitt
Sent: Tue 4/17/2007 9:08 AM
To: list at lists.dshield.org
Subject: [Dshield] Weird McAfee TXT records?



Does anyone know how to explain this? I saw it wing past one of our
IDS sensors, tripping a check for large DNS packets...

<<>> DiG 9.3.4 <<>> -t TXT qwest.net.phish2.mcafee.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50615
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;qwest.net.phish2.mcafee.com.   IN      TXT

;; ANSWER SECTION:
qwest.net.phish2.mcafee.com. 2100 IN    TXT
"1-.0ISk3HAPfQJFG0r9NptlVpMJHMyLfvniQO0qzbNfLlFv-KP1.2WXdP32MXvP3JiOnT1nhb5a1pMmovD2Ihrqzxjubvxu4Litp.Y3V"

;; AUTHORITY SECTION:
phish2.mcafee.com.      32568   IN      NS      spamrbl2.mcafee.com.
phish2.mcafee.com.      32568   IN      NS      spamrbl.mcafee.com.

;; Query time: 165 msec
;; SERVER: 129.83.20.47#53(129.83.20.47)
;; WHEN: Tue Apr 17 10:05:20 2007
;; MSG SIZE  rcvd: 207

The same works for major ISPs like aol.com, verizon.net, comcast.net,
etc. Other non-ISP sites (eg google.com) return a TXT entry of "not
listed". From the names, I'd guess some sort of anti-phishing / spam
blocking mechanism, but what on earth does it actually do?

-Brendan
_________________________________________

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)




More information about the list mailing list