Duplicate Posts - Burst Posts...

From: Tothwolf <tothwolf_at_concentric.net>
Date: Fri Jun 18 17:06:14 2004

On Fri, 18 Jun 2004, der Mouse wrote:

> >> Another suggestion which is remarkably effective in my experience is
> >> to do an identd lookup, not for the usual reasons but rather because
> >> quite a number of the zombie-army machines are running toy identds
> >> to satisfy things like IRC servers, and they exhibit certain
> >> protocol errors.
> > "Some of us" are running spoofed identds for other internal reasons.
> > What do you mean by "certain protocol errors"?
>
> I've noticed five major classes of errors.

> Doesn't exist
> This is an "ERROR:NO-USER" response. This should never happen;
> it indicates either a totally busted identd, a NATting gateway
> whose admin is crazy enough to run an identd without making
> sure it's a NAT-aware identd, or an 0wn3d machine with a
> rootkit good enough to hide the outgoing connection from
> whatever interface identd uses. The third one I _definitely_
> want to refuse mail from, and the other two I'm willing to call
> broken enough to refuse too. (Hm, actually, it could also be a
> portscanner connection that was reset before the identd
> response comes in; that too I have no interest in accepting
> anything from.)
>
> Most of the trips of the "bogus UNIX" test are identds that claim UNIX
> usernames beginning with a space. This was perfectly valid under
> RFC931 (which specified that whitespace was ignored even at the
> beginning of a username), but with 1314 having obsoleted 931 over a
> decade ago, I am quite willing to consider it broken today. If you use
> that one you may want to ignore leading whitespace.

Don't forget that a lot of Linux dists were shipping with identd
configured to send 'UNKNOWN' or 'ERROR:NO-USER' to all requests.
Supposedly this was to improve security...

-Toth
Received on Fri Jun 18 2004 - 17:06:14 BST