RE: DNS poisoning or ??

["Devin Rambo" <drambo () vediorps com>]

Bill,

If you Google for "mail.greenborder.com" you'll find a listing of some
message forum posts by you in which the message ID appears to be coming from
mail.greenborder.com. Here's one example:

http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0157.html

You'll want to take a look at your mail logs and see if your server is
introducing itself to others as the nonexistent name. If so, and that
information is getting cached on remote DNS and/or email servers which your
server is communicating with, therein may lie the problem. HTH.

Devin


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Bill Stout
Sent: Saturday, January 27, 2007 3:50 PM
To: security-basics () securityfocus com
Subject: DNS poisoning or ??

Hello,

I'm working through an intermittent incoming email bounce problem I hope
someone can shed some light on.  Over the last week, a few major companies
are reporting intermittent bounces when sending email to us (maybe 5% of the
time).  When they do an MX lookup they occasionally obtain a fake hostname
and IP address.  In their email body the response looks like this:

  ... connect to mail.greenborder.com [216.52.7.214]: Connection timed out
...

I do not have a host named 'mail.greenborder.com' in my DNS records.
The IP address is not a mail server, it's an Internap address.
http://www.dnsstuff.com/tools/whois.ch?ip=216.52.7.214

<snipped>