Could there be bogus email from domain-block@opendns.com?

Follow

djklord

July 07, 2014 21:05

Yesterday, I received two messages (sent about 1/2 hour apart) from domain-block@opendns.com stating that "a user would like to be able to access the following domain..."

They are both requesting access to the same site, but the Email address given in the User information section of the messages is slightly different - one includes a dot (.) between what appears to be a first and last name; the other does not.

I do not know who this person might be. 

The Network Details in the User information refer to my home network.

Could this be related to somebody hacking a msg from domain-block@opendns.com? I would guess not, since the requests do seem to be legitimate.

Since I have a dynamic IP address assigned to my home, could this be a problem with messages being sent to the wrong place? Could it be that somebody else was assigned an IP address which I just recently was using?

Is this something I should be concerned about?

I live in a rural situation where it is unlikely that somebody was using my wireless connection - which does use an encryption key (not a simple one). I did, just now, change the admin password on my wireless router. It DID have one, but it wasn't very complex (just letters and numbers).

Also, the domain being requested IS actually blocked on my network.

Dan

 

1

• 

  Chris Frost July 07, 2014 21:09

  Sounds like you might have a NATd IP address from your ISP, which means that multiple customers from your ISP could be using the same IP address. Do you know if your IP address is NATd? This would explain why you are getting blocked page requests from unknown users. 

  0

  Comment actions Permalink
• 

  djklord July 07, 2014 21:21

  I don't know whether or not I have a NATd IP address. Could I discover this by inspecting either my router or (DSL) modem settings, or would I have to communicate with my ISP?

  BTW, thank you for your quick response.

  0

  Comment actions Permalink
• 

  rotblitz July 07, 2014 21:53

  It's not quite easy to find out final confirmation if you have a shared IP address without asking your ISP.

  You may perform these tests:
  http://www.lagado.com/proxy-test
  http://www.lagado.com/tools/cache-test
  And you can run a software like http://portforward.com/help/router-detector.htm
  And you can perform a WHOIS with your IP address. http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

  0

  Comment actions Permalink
• 

  rotblitz July 08, 2014 12:44

  If the above is too much efforts for you, you may perform a quicker check.  Check the IP addresses at/with:

  • http://myip.dnsomatic.com/
  • nslookup myip.opendns.com.
  • The WAN IP address at your router's/modem's status page

  They should all be identical, else your ISP is most likely somehow NATting or proxying you.

  0

  Comment actions Permalink
• 

  Brian Hartvigsen July 08, 2014 17:00

  While rotblitz's tests may expose a proxy server, most of those tests would not expose a NAT configuration.  The exception would be checking WAN IP address of the router/modem and the WHOIS information on your public IP.

  Generally in the case of a NAT setup, the WAN IP will be an RFC1918 address (e.g. 192.168.1.1 & 10.0.0.1).  But not always, they could be using some other address space, though that would be somewhat odd.

  When checking the WHOIS, some ISPs will actually label an address poll as NAT, but again, not all of them.

  Asking the ISP directly is generally the best option.  Also a note that a NAT configuration does not require a proxy server, most home networks are NAT'ed internally and have no proxy server, so those tests won't reveal anything about a NAT setup generally.

  0

  Comment actions Permalink
• 

  djklord July 08, 2014 17:13

  I appreciate the help offered. I've checked performed most of the checks suggested. I don't see any evidence of NAT going on. (I was confused for a while by the term "NATd". I know what NAT is, but not "NATd". I finally figured out, it means "NAT"ed.

  I'm going to drop this issue for now. I don't really  have time to deal with it any further. If I see such a problem again, I will call my ISP and talk to them about it.

  0

  Comment actions Permalink
• 

  rotblitz July 08, 2014 17:46

  "most of those tests would not expose a NAT configuration."

  They would.  Although these tests could merely expose the use of a proxy or caching server, these are typical situations where public IP address sharing takes effect too, and proxy/caching services necessarily come with NATting too.  So, if any of those tests is positive, then NATting and possibly public IP address sharing are involved.  But as you correctly say, these tests would not reveal NAT without proxy/caching service.

  A special case is the router-detector test.  It also exposes ISP VLAN configurations, and if the IP address on the ISP facing devices is not identical with the final public IP address being found, then we have a NAT configuration too which may or may not come with public IP address sharing.

  "they could be using some other address space, though that would be somewhat odd."

  These could be RFC-6598 Carrier Grade NAT addresses:  100.64.0.0/10  (100.64.0.0 - 100.127.255.255)
  and also RFC-5735 special case IP address ranges:

    169.254.0.0/16
    192.0.0.0/24
    192.0.2.0/24
    192.88.99.0/24
    198.18.0.0/15
    198.51.100.0/24
    203.0.113.0/24

  Summarizing: If a proxy is being used, then NAT is necessarily involved, quite often with public IP address sharing.  The other way around, NAT does not imply that a proxy is being used, but also may come with public IP address sharing.  Yes, home network routers is a good example.

  0

  Comment actions Permalink

Please sign in to leave a comment.