What is Softlayer up to now?
It had looked like a safe bet to score something for a hostname ending
"static.reverse.softlayer.com", on the assumption that legitimate senders
would get the PTR changed to their own domain.
There's always the exception, and I was asked to "whitelist" host
169.54.207.231. It's used by a legitimate company that did not change the
PTR. The interesting thing is that I found that sometime this morning its
PTR and A records were changed as follows:
old: 169.54.207.231-static.reverse.softlayer.com
new: e7.cf.36a9.ip4.static.sl-reverse.com.
Hex conversion: 231, 207, 54, 169.
I don't know how pervasive this is. Obviously it evades pattern match on
the IP address being part of the name, and packing together the last two
hex strings also makes it a little harder to parse. It also evades block by
domain name, until we notice.
Other than that I don't see the purpose to this change.
Joseph Brennan
Columbia University I T
