On Fri, 18 Jun 2004, der Mouse wrote:
Another suggestion which is remarkably effective in my
experience is
to do an identd lookup, not for the usual reasons but rather because
quite a number of the zombie-army machines are running toy identds
to satisfy things like IRC servers, and they exhibit certain
protocol errors.
"Some of us" are running spoofed identds for other
internal reasons.
What do you mean by "certain protocol errors"?
I've noticed five major classes of errors.
Doesn't exist
This is an "ERROR:NO-USER" response. This should never happen;
it indicates either a totally busted identd, a NATting gateway
whose admin is crazy enough to run an identd without making
sure it's a NAT-aware identd, or an 0wn3d machine with a
rootkit good enough to hide the outgoing connection from
whatever interface identd uses. The third one I _definitely_
want to refuse mail from, and the other two I'm willing to call
broken enough to refuse too. (Hm, actually, it could also be a
portscanner connection that was reset before the identd
response comes in; that too I have no interest in accepting
anything from.)
Most of the trips of the "bogus UNIX" test are identds that claim UNIX
usernames beginning with a space. This was perfectly valid under
RFC931 (which specified that whitespace was ignored even at the
beginning of a username), but with 1314 having obsoleted 931 over a
decade ago, I am quite willing to consider it broken today. If you use
that one you may want to ignore leading whitespace.
Don't forget that a lot of Linux dists were shipping with identd
configured to send 'UNKNOWN' or 'ERROR:NO-USER' to all requests.
Supposedly this was to improve security...
-Toth