On Thu, 2011-04-28 at 06:29 +0200, Michelle Konzack wrote: > Hello Martin Gregorie, > > Am 2011-04-26 23:59:23, hacktest Du folgendes herunter: > > Now I'm confused. AFAIK SA doesn't have any connection with AS112 > > lookups as either client or server - unless there's a plugin that hasn't > > been mentioned on this list since I joined. If I'm wrong about this I > > expect somebody will speak up and correct me.... > I've looked a little more into this and made this note for myself: The AS112 Project (The Nameservers at the End of the Universe) is intended to provide a clean, well defined destination for DNS queries concerning RFC1918 and other DSUA networks. The intention seems to be to intercept and reply to the anycasts that originate from a local DNS when it is sent a request for the IP of a valid name that happens to be offline or outside the private RFC1918 network. The intention is to prevent these requests from flooding out onto the wider internet.
Its quite easy to see this traffic with Wireshark: just send a request to your local DNS server for the IP of a host that is either turned off or has a valid A record but doesn't exist. The DNS realises its been sent a valid request that it can't answer, so it slaps an anycast out to the net asking who recognises this name and/or IP. Running 'ping -c1 hostname' is a good trigger to show this behaviour. If your router has an AS122 server in it but is still letting anycasts asking about RFC1918 IPs such as 192.168.x.y or 10.x.y.z than its either disabled or misconfigured. > Hmm, there are some enterprises or such which are checking ALL Received: > headers using spamassassin instead of checking the most recent SMTPRelay > and the are bouncing my messages because I send my messages over my > intranet server to my SMTP-Relay > > 192.168.0.91 Workstation > 192.168.0.69 Intranet Server > 78.47.247.21 Mail-Relay > x.y.z.n some_other_destination_server > > and if I send the mail like > > 192.168.0.91 Workstation > 78.47.247.21 Mail-Relay > x.y.z.n some_other_destination_server > > then it works. And it is definitively spamassassin which score my mail > VERY high which lead to rejecting my messages. > It sounds like 192.168.0.69 isn't in your trusted_networks list and should be. > Since not all incoming messages (I use fetchmail have this as112 problm) > I also work this way except that I use getmail to read mail from the POP3 server (my ISP's mailserver). I use getmail in place of fetchmail because I got tired of the fetchmail bug that causes a list of unread messages to build up on the POP3 server (I configure it to delete all messages at the end of each fetch session and to ignore messages that have been read). I configure getmail the same way and don't see any problems with it...... I added the POP3 server to my trusted_networks list to prevent some FPs. However, the mail redirection server run by my domain host, which redirects mail to my ISP's mail server, is not on my trusted_networks list and doesn't need to be. > Since the UDP-Synflood mail claim, it comes from 192.168.0.69 requesting > port 53, it can ony be spamassassin, because there no other tools making > such requests. > Agreed - those are DNS lookups, probably caused by SA querying UBL lists. Only Wireshark or another TCP packet monitor can tell you that for sure. > No, because to install an AS112 server you need a BGA-Router like quaga > which I do not have on my GSM connection. > I thought you said there is one in your Vodafone EasyBox? As I asked above, are you sure that server is configured correctly and enabled? DNS queries for RFC1918 networks (in your case 10.x.y.z and 192.168.x.y IP addresses) should never travel out of your network since they have no meaning outside it. > > I meant just to make sure that all IPs that you consider part of your > > intranet are in zone files on your internal DNS (192.168.0.74) and to > > I have the full zome here like: > That looks OK. I assume you've configured the server to be authoritative for the private.tamay-dogan.net domain, in which case: a) requests for unknown host names will be rejected immediately as 'unknown' b) requests for unknown IPs in subnet 0 will be rejected immediately as 'unreachable' c) BUT requests for unknown IPs in subnet 0 or for valid hostnames where the machine is turned off will cause an anycast to be sent out and will only be rejected when the request times out. The default timeout for my (Linux) ping is 3 seconds. Case C is one where an operating AS112 server in your router should prevent the anycasts from leaving your intranet and will increase throughput by eliminating the timeout. > I do this for exactly the same reason... OK, I have 12 servers and > 3 workstations here, but /etc/hosts is no option. > Agreed - I don't think its an option with more than two hosts on a network. > I do not know whether I should do this, because the 10.x.y.z comes from > my ISP (Telefonica/O2) and from the view of my network, it is OUTSIDE. > I'm only suggesting that the gateway, 10.165.11.117, should be added to trusted_networks in the same way that I added my ISP's mail host to my list. Of course you should monitor for increased spam if you do it, because I don't understand your network.... Martin
