Security Basics mailing list archives

RE: educating rDNS violators

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 26 Aug 2004 17:31:36 -0700

-----Original Message-----
From: token [mailto:chip.gwyn () gmail com]
Sent: Thursday, August 26, 2004 12:30 AM
To: security-basics () securityfocus com
Subject: Re: educating rDNS violators

Quick little note on what is actually happening in the above scenario.
 The e-mail server makes and SMTP connection to send the mail.   The
receiving server does a lookup for reverse dns on the ip address.  It
gets mail.mydomain.com, next the receiving SMTP looks for IP address
for mail.mydomain.com and then makes sure the IP's match.  If so, it
delivers, if not, it rejects.   This works with cluster type mail
servers as well.

--chip



  So with TWO requests to DNS, you've found out what ONE told you -- that
the IP address that is connecting to you *has* an rDNS entry somewhere.
I could be a compromised cable-modem user whose ISP has put in a
complete set of bogus-IP1-IP2-IP3-IP4-cablemodem-mumblemumble.isp.com
rDNS entries for their entire address space, and, sure enough, every single
one of them matches forwards and backwards without telling you ANYTHING
about whether this box should be talking directly to your SMTP server.

  Confirming that the IP address has an rDNS entry is of very limited
utility.
Confirming that it returns a name that forward-resolves to that address adds
absolutely none at all.

David Gillett



---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

Current thread:

educating rDNS violators SMiller (Aug 23)
- Re: educating rDNS violators token (Aug 24)
  - Re: educating rDNS violators Derek Schaible (Aug 25)
    - Message not available
    - Re: educating rDNS violators Derek Schaible (Aug 25)
    - RE: educating rDNS violators David Gillett (Aug 26)
    - Re: educating rDNS violators token (Aug 26)
    - RE: educating rDNS violators David Gillett (Aug 30)
    - Re: educating rDNS violators Niek (Aug 26)
    - Re: educating rDNS violators Derek Schaible (Aug 30)
- Re: educating rDNS violators JGrimshaw (Aug 24)
  - Re: educating rDNS violators James Kelly (Aug 25)
    - Re: educating rDNS violators Bryan S. Sampsel (Aug 25)
    - Re: educating rDNS violators SMiller (Aug 26)
  - Re: educating rDNS violators Derek Schaible (Aug 25)
    - Re: educating rDNS violators Mark Reis (Aug 28)
    - Re: educating rDNS violators Derek Schaible (Aug 30)
    - Re: educating rDNS violators Bryan S. Sampsel (Aug 30)

(Thread continues...)