[Httpbl-beta] DNS lookups not corresponding to incoming http client addresses - fixed

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

James Beckett wrote:
> So far, I've only seen httpBL DNS lookups
> for two IP addresses - one of them around 4200 times and the other only once,
> since installation on 2007-05-02.

(apache log)

> 80.237.210.109 - - [15/May/2007:16:31:46 +0100] "GET / HTTP/1.0" 200 4154 "-"
>     "Lynx/2.8.4rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.6c"

> but the corresponding entry in named.querylog is
> 
> 15-May-2007 16:31:46.757 client 127.0.0.1#50330: query:
>     (my ID).235.1.194.62.dnsbl.httpbl.org IN A +
> 
> The address 62.192.1.235 doesn't appear in any other apache log files, and
> seems entirely spurious.

More so for me mis-reversing it: 62.194.1.235 is the only address that gets
looked up. Now that I've spotted my bozo error it's clear in the code - it
looks as though a test setting has been left in place:

http://httpbl.cvs.sourceforge.net/httpbl/mod_httpbl_for_apache_2.0/mod_httpbl_source/mod_httpbl.c?revision=1.1.1.1&view=markup#l_309

#define IP_TO_LOOKUP                            "62.194.1.235" 
	// a known spammer's IP ; just for testing

and later:

    ha = r->connection->remote_ip; // get the requesting IP from the request_rec
#ifdef IP_TO_LOOKUP     // if a macro is set to a hardcoded IP (for testing purposes)
    ha = IP_TO_LOOKUP;
#endif

With this here, check_via() always looks up this address, not the remote IP
address from the request - which presumably means that all current beta
testers (unless they've quietly fixed this themselves locally, or have an
earlier version without it) are unknowingly not actually testing anything
useful! (This test IP returns 127.86.74.3 - 86 days since activity, pretty
high threat, suspicious+harvester - the sample config should return "deny"
for this, so I'd expect any typical beta tester setup to show 100% page
denial)

With the #define commented out, I'm finally seeing lookups of actual client
addresses taking place:

30-May-2007 20:07:30.533 client 127.0.0.1#57023: view internal:
	query: (my ID).109.210.237.80.dnsbl.httpbl.org IN A +

I'd highly recommend anyone running http:BL to run and use their own local
caching nameserver, both for reducing lookup overheads and for being able
to check the logs and see what's going on.

cheers,
James
-- 
James Beckett <jm...@ha...> <http://www.hackery.net/jmb/>
F601 C085 1482 B92A C812  556C A985 1497 209B 4E65