Security Basics mailing list archives
RE: educating rDNS violators
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 26 Aug 2004 17:31:36 -0700
-----Original Message----- From: token [mailto:chip.gwyn () gmail com] Sent: Thursday, August 26, 2004 12:30 AM To: security-basics () securityfocus com Subject: Re: educating rDNS violators Quick little note on what is actually happening in the above scenario. The e-mail server makes and SMTP connection to send the mail. The receiving server does a lookup for reverse dns on the ip address. It gets mail.mydomain.com, next the receiving SMTP looks for IP address for mail.mydomain.com and then makes sure the IP's match. If so, it delivers, if not, it rejects. This works with cluster type mail servers as well. --chip
So with TWO requests to DNS, you've found out what ONE told you -- that the IP address that is connecting to you *has* an rDNS entry somewhere. I could be a compromised cable-modem user whose ISP has put in a complete set of bogus-IP1-IP2-IP3-IP4-cablemodem-mumblemumble.isp.com rDNS entries for their entire address space, and, sure enough, every single one of them matches forwards and backwards without telling you ANYTHING about whether this box should be talking directly to your SMTP server. Confirming that the IP address has an rDNS entry is of very limited utility. Confirming that it returns a name that forward-resolves to that address adds absolutely none at all. David Gillett --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- educating rDNS violators SMiller (Aug 23)
- Re: educating rDNS violators token (Aug 24)
- Re: educating rDNS violators Derek Schaible (Aug 25)
- Message not available
- Re: educating rDNS violators Derek Schaible (Aug 25)
- RE: educating rDNS violators David Gillett (Aug 26)
- Re: educating rDNS violators token (Aug 26)
- RE: educating rDNS violators David Gillett (Aug 30)
- Re: educating rDNS violators Derek Schaible (Aug 25)
- Re: educating rDNS violators token (Aug 24)
- Re: educating rDNS violators Niek (Aug 26)
- Re: educating rDNS violators Derek Schaible (Aug 30)
- Re: educating rDNS violators James Kelly (Aug 25)
- Re: educating rDNS violators Bryan S. Sampsel (Aug 25)
- Re: educating rDNS violators SMiller (Aug 26)
- Re: educating rDNS violators Derek Schaible (Aug 25)
- Re: educating rDNS violators Mark Reis (Aug 28)
- Re: educating rDNS violators Derek Schaible (Aug 30)
- Re: educating rDNS violators Bryan S. Sampsel (Aug 30)