Security Basics mailing list archives
RE: DNS poisoning or ??
From: "Devin Rambo" <drambo () vediorps com>
Date: Mon, 29 Jan 2007 12:03:24 -0500
Bill, If you Google for "mail.greenborder.com" you'll find a listing of some message forum posts by you in which the message ID appears to be coming from mail.greenborder.com. Here's one example: http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0157.html You'll want to take a look at your mail logs and see if your server is introducing itself to others as the nonexistent name. If so, and that information is getting cached on remote DNS and/or email servers which your server is communicating with, therein may lie the problem. HTH. Devin -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Bill Stout Sent: Saturday, January 27, 2007 3:50 PM To: security-basics () securityfocus com Subject: DNS poisoning or ?? Hello, I'm working through an intermittent incoming email bounce problem I hope someone can shed some light on. Over the last week, a few major companies are reporting intermittent bounces when sending email to us (maybe 5% of the time). When they do an MX lookup they occasionally obtain a fake hostname and IP address. In their email body the response looks like this: ... connect to mail.greenborder.com [216.52.7.214]: Connection timed out ... I do not have a host named 'mail.greenborder.com' in my DNS records. The IP address is not a mail server, it's an Internap address. http://www.dnsstuff.com/tools/whois.ch?ip=216.52.7.214 <snipped>
Current thread:
- DNS poisoning or ?? Bill Stout (Jan 29)
- Re: DNS poisoning or ?? Paul daSilva (Jan 30)
- RE: DNS poisoning or ?? (Found by Paul daSilva) Bill Stout (Jan 30)
- RE: DNS poisoning or ?? (Found by Paul daSilva) Bill Stout (Jan 30)
- RE: DNS poisoning or ?? Devin Rambo (Jan 30)
- Re: DNS poisoning or ?? Francois Yang (Jan 30)
- Re: DNS poisoning or ?? Paul daSilva (Jan 30)