[unisog] Collecting PTR names rather than IP addresses (Was:
Re: IRC Bot list (cross posting))
jtk at northwestern.edu
Wed Feb 9 16:42:08 GMT 2005
[ I've removed the NANOG list from this thread. ]
On Wed, 09 Feb 2005 12:11:16 +0000
Ketil Froyn <kfroyn at gnr.com> wrote:
> Isn't it a good idea to collect the IP addresses rather than the ptr
> name? For instance, if I were an evil person in control of the ptr
> record of my own IP, I could easily make the name something like
> 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
> be sure you got the right details!
True, but when you're collecting info from a IRC server with a just
a '/who', you can only take what it gives you (and sometimes it just
might lie to you).
> Something like this is probably not very widespread (has anyone seen it
> in practice?), but I still think that for tracking purposes, ptr records
> are useless. IMHO.
It's not widespread and it's not typically going to be done to hide
a bot. Creating bogus ptr's does happen for other reasons, such as for
comedic effect. ptr's aren't entirely useless if the admin takes the
time to validate the report. I'd bet most often they are valid, because
it just isn't worth a miscreant's effort to forge them.
More information about the unisog