Security Basics mailing list archives
Re: DNSs, MXs and RBLs....
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 21 Mar 2008 00:23:30 +0100
On 2008-03-20 Santiago Barahona wrote:
Once upon a time, there were two companies that created one new entity (let's say 50-50)... one of them provides the IT infrastructure and the other "the name" (i guess): it is company A's mail servers, and company B's domain name...
So B provides DNS services for A. That's perfectly fine.
Since the new users will be in company A's infrastructure, their mailboxes will be hosted in company A's mail servers... but the domain name will be controlled and hosted by company B... to do this someone has suggested to company B to modify their DNS entries to point to company A's domain name....
Ummm... what? If B is provide DNS for A they already host the domain name of A themselves. Why would they want to point anywhere else?
So when a MTA tries to reach user () newco com, it will find in Company B's DNS that it points out to companyA.com, then it will go ask a DNS who is companyA.com and deliver the mail... (tell me if I'm wrong)...
You are. The sending MTA will query one of B's nameservers for the MX record(s) of A's domain and then send to that host. See [1] for more detailed information on how DNS works.
At first glance it looked OK but then it started to cause me trouble when I thought about the case when the users of this domain start sending mails because I think that company A's mail servers risk of being "black listed" by some RBLs... if this happens not only the users of the new entity will be percieved by spam but all users that use those servers...
Well, if A's server for outbound mail makes it on some DNSBL, mail servers employing that DNSBL will reject mail from A's server, yes. That's how DNSBLs work. See [2].
Any light??... is it possible to get blacklisted this way??...
Possible? Yes. Likely? That depends. Why do you think you might be at risk of being blacklisted?
do you have any suggestions on how to avoid the risk??
Don't send out spam in the first place. Having separate mail servers for A and the new entity will leave one operational in case the other gets blacklisted. [1] http://en.wikipedia.org/wiki/Domain_Name_System [2] http://en.wikipedia.org/wiki/DNSBL Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- DNSs, MXs and RBLs.... Santiago Barahona (Mar 20)
- Re: DNSs, MXs and RBLs.... Ansgar -59cobalt- Wiechers (Mar 21)
- Re: DNSs, MXs and RBLs.... Ned Fleming (Mar 21)
- Re: DNSs, MXs and RBLs.... Santiago Barahona (Mar 24)
- Re: DNSs, MXs and RBLs.... Ansgar -59cobalt- Wiechers (Mar 24)
- Re: DNSs, MXs and RBLs.... Santiago Barahona (Mar 26)
- Message not available
- Re: DNSs, MXs and RBLs.... Ansgar -59cobalt- Wiechers (Mar 26)
- Re: DNSs, MXs and RBLs.... Santiago Barahona (Mar 24)