Type 18 explained

A lot of requests for removal of type 18 listings claim they are due to (mail)spam.

Undernet, amongst other IRC networks gets a lot of compromized connections because some kiddie thinks to use that network as Control Server. In most cases, these are mail and or dns servers, and in most cases, the owner of the ip was smart enough to set the PTR record in dns to something, that also reflects this usage.

As of the date of this blogentry, there are already 4000 *ACTIVE* unique ip's being listed for having connected to Undernet´╗┐ alone, and this number is growing steadily.

Now there are two options:

My entire network does not contain IRC visitors:

In this case you DO have a problem, and something on your network contains a drone, please note that *ANYTHING* with access to generate outgoing traffic can be a source.

Yes, my network contains IRC visitors and I am 100000% everything is secure:

In this case it's most likely you use the specified IP also as gateway for your network´╗┐, this is bad (as you probably already noticed) and you now got two possible solutions:

  • If you have multiple IP's assigned on your wan, use a different ip as gateway.
  • Change your PTR and A records on this IP (ensure every service accepts/sends out as the new name, you can still use the old one as CNAME for your clients)

outsider / Apr-08-2016 14:31:47 GMT

Comments for Type 18 explained

These are the 2 (18 hidden) comments for the above post. You may add your own comment below!

Anonymous said on Dec-06-2016 20:49:25 GMT :

So if you only have one IP for the network, you can not have both a valid PTR for a mail server, and an IP that will not be banned as type 18 if you also have IRC users. Great.

Alexander Maassen said on Dec-26-2016 17:26:57 GMT :

@Anonymous: Who says you are required to have mail/mx/whatever in your PTR for a mail server?

In fact, thats just cosmetic

Add your own comment

Your name
Captcha
Your comment
You can use markdown syntax here for formatting.