Security Incidents mailing list archives
Re: dos from .kr, plus some classic .kr irresponsibility
From: Bill Royds <Bill_Royds () PCH GC CA>
Date: Thu, 10 Aug 2000 20:58:56 -0400
Here is a wnderful example of difficulty of contacting administrators of IP blocks. I found a log line in our sendmail log this morning indicating an email had been rejected because the sending host did not have a DNS entry. We use Sendmails ability to verify authenticity of sending domains to block spam. Aug 10 01:01:44 point sendmail[4664]: BAA04664: ruleset=check_mail, arg1=<invoice () rolemail internic net>, relay=rolemail.internic.net [216.168.233.54] (may be forged), reject=501 <invoice () rolemail internic net>... Sender domain must exist I thought this was wierd because internic (Network Solutions), of all places, should have valid DNS entries for their mail servers. Perhaps it really was a spammer faking the reverse DNS entry to allow the spam to get in so I looked up the IP address in ARIN whois: 08/10/00 20:53:50 IP block 216.168.233.54 () whois aunic net Trying 216.168.233.54 at ARIN Trying 216.168.233 at ARIN Network Solutions, Inc. (NETBLK-NSI-NETBLK1) 505 Huntmar Park Drive Herndon, VA 20170 US Netname: NSI-NETBLK1 Netblock: 216.168.224.0 - 216.168.255.255 Coordinator: Karas, Michael (MK124-ARIN) mkaras () netsol com 703-326-2650 (DSN) 295-3304 (DSN) 295-3304 Domain System inverse mapping provided by: NS1.NETSOL.COM 216.168.224.200 NS2.NETSOL.COM 198.17.208.83 NS3.NETSOL.COM 216.168.224.201 Record last updated on 02-May-2000. Database last updated on 10-Aug-2000 17:54:58 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. It was Network Solutions so I decided to send an email to registered contact for that block asking that they correct their DNS entries. Here is the resulting error reply: Your message To: mkaras () netsol com Cc: Postmaster () my domain ca Subject: Please ensure that you use email hosts with both forward and reverse DNS entries. Sent: Thu, 10 Aug 2000 17:56:36 -0400 did not reach the following recipient(s): mkaras () netsol com on Thu, 10 Aug 2000 17:54:31 -0400 The recipient name is not recognized The MTS-ID of the original message is: c=US;a= ;p=netsol;l=?0008102154QLP94K7M MSEXCH:IMS:Netsol:US-Herndon-NIC:NETSOL-NIC-EX03 0 (000C05A6) Unknown Recipient Message-ID: <85256937.007890A5.00 () my domain ca> From: Bill_Royds () my domain ca To: mkaras () netsol com Cc: Postmaster () my domain ca Subject: Please ensure that you use email hosts with both forward and reverse DNS entries. Date: Thu, 10 Aug 2000 17:56:36 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) X-MS-Embedded-Report: Content-Type: text/plain; charset="iso-8859-1" This morning our Internet email server rejected an attempt to send an email from an IP in your range that was using a source address of a host with no DNS host name. We have a policy of not accepting email with no valid return address. Please ensure that you maintain your DNS tables accurately with a forward DNS entry for rolemail.internic.net. Here is our sendmail syslog for the connect attempt. Aug 10 01:01:44 point sendmail[4664]: BAA04664: ruleset=check_mail, arg1=<invoice () rolemail internic net>, relay=rolemail.internic.net [216.168.233.54] (may be forged), reject=501 <invoice () rolemail internic net>... Sender domain must exist Times are EDT UTC-0400 Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU> on 08/09/2000 15:50:06 Please respond to Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU> To: INCIDENTS () SECURITYFOCUS COM cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Re: dos from .kr, plus some classic .kr irresponsibility On Tue, 8 Aug 2000, Dan Hollis wrote:
Actually, I have been thinking of writing up an RFC for contact information (security, spam, etc) stored in reverse dns TXT records.
totally unneeded. people should just keep their NIC records up to freakin date and actually freakin reply. i'm so !^%$!^%# sick and !#@&^%! tired of domains that bounce, have people who have left or ignore huge assed problems, not pissy portscans but serious freakin holes. once i get back to my desk i'll finish my take on RFP's policy for bugtraq'ing as i have tweaked it for incident handling. in the meantime, if you get a collect call from me as a domain admin, answer the freakin phone, i'm probably telling you something important. out of patience, jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Re: dos from .kr, plus some classic .kr irresponsibility Bill Royds (Aug 13)