« new pats posted - 20090610 (maintenance pats release) | Main | new pats posted - 20090611 (maintenance pats release) »

June 10, 2009

Another PTR mystery - this time in Portugal

For some reason, which I have been unable to explicate - even with the assistance of the Portuguese-speaking wife of a colleague - there is a tendency for schools in Portugal to have hostnames such as these:

adsl.eb1-n2-alcacersal.edu.pt

adsl.ebi-bomsucesso.edu.pt

adsl.eb1ji-saboia.edu.pt

adsl.eb1-n1-montecapela.edu.pt

adsl.ebi-abrigada.edu.pt

adsl.ep-adruralgrandola.edu.pt

adsl.eb1-n3-lagos.edu.pt

adsl.ebi-apelacao.edu.pt

adsl.eb1-n1-cartaxo.edu.pt

Just to grab some examples that showed up in a recent CBL list.txt...

The general idea seems to be that every school in Portugal should have Internet access, which is laudable. It is apparent that these schools are connected via a statically assigned ADSL link. And as they're being listed in the CBL, it's also apparent that they have issues with infected hosts on their LANs spewing spam and abusive traffic out of their networks. We hope they can address the issues involved and stay out of the blocklists, but that's not why I call attention to them now.

Enemieslist is an attempt to classify Internet hosts by their PTRs. We've found it very useful to do so by way of regular expressions. But the hosts named above don't readily lend themselves to this sort of thing, because every hostname is what we'd call a "singleton", so a pattern for each is overkill. A pattern for the whole lot of them might not be a good idea, either, because while it's probable that they are all what we would classify as "static/adsl", some, or even all of them might well be NATs ("natproxy/unknown") or VPNs ("natproxy/vpn"). As the classification applied to a set of hosts is important because each is used to calculate the risk of accepting mail from any member of the set, I am reluctant to just call them static ADSL nodes, and as NATs are a much more likely source of spew from bots inside the networks than the average static ADSL node, this presents a problem.

Such are the mysteries that occupy my days.

For now, I will continue to add individual "patterns" for each of them, until I can confirm that they're all NATs or perhaps something entirely different. But if the administrator(s) in charge of the hosts in question had reflected on my needs and concerns (heh) they might have indicated more precisely whether these were to be used as NATs. I am reasonably sure, from checking the occasional MX record, that they don't handle their own inbound mail, which is routed through the Portuguese National Computing center. But beyond that, the mystery remains.

Posted by schampeo at June 10, 2009 5:07 PM

Trackback Pings

TrackBack URL for this entry:
http://enemieslist.com/mt/cgi-bin/mt-tb.cgi/920

Search Blog

Browse

• Archives
• Categories
  • antispam in practice
  • consortiae
  • gripes
  • history
  • legal
  • news
  • privacy
  • project
  • security
  • spammers
  • studies and statistics
  • tactics
  • tools
  • viruses and worms

Feeds

• RSS
• ATOM

Enemieslist

• Package Features
• Contribute