Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dos from .kr, plus some classic .kr irresponsibility

From: Bill Royds <Bill_Royds () PCH GC CA>
Date: Thu, 10 Aug 2000 20:58:56 -0400
Here is a wnderful example of difficulty of contacting administrators of IP
blocks.
I found a log line in our sendmail log this morning indicating an email  had
been rejected because the sending host did not have a DNS entry. We use
Sendmails ability to verify authenticity of sending domains to block spam.

Aug 10 01:01:44 point sendmail[4664]: BAA04664: ruleset=check_mail,
  arg1=<invoice () rolemail internic net>, relay=rolemail.internic.net
  [216.168.233.54] (may be forged), reject=501
  <invoice () rolemail internic net>... Sender domain must exist

 I thought this was wierd because internic (Network Solutions), of all places,
should have valid DNS entries for their mail servers.
Perhaps it really was a spammer faking the reverse DNS entry to allow the spam
to get in so I looked up the IP address in ARIN whois:
     08/10/00 20:53:50 IP block 216.168.233.54 () whois aunic net
     Trying 216.168.233.54 at ARIN
     Trying 216.168.233 at ARIN
     Network Solutions, Inc. (NETBLK-NSI-NETBLK1)
        505 Huntmar Park Drive
        Herndon, VA 20170
        US

        Netname: NSI-NETBLK1
        Netblock: 216.168.224.0 - 216.168.255.255

        Coordinator:
           Karas, Michael  (MK124-ARIN)  mkaras () netsol com
           703-326-2650 (DSN) 295-3304 (DSN) 295-3304

        Domain System inverse mapping provided by:

        NS1.NETSOL.COM  216.168.224.200
        NS2.NETSOL.COM  198.17.208.83
        NS3.NETSOL.COM  216.168.224.201

        Record last updated on 02-May-2000.
        Database last updated on 10-Aug-2000 17:54:58 EDT.

     The ARIN Registration Services Host contains ONLY Internet
     Network Information: Networks, ASN's, and related POC's.
     Please use the whois server at rs.internic.net for DOMAIN related
     Information and whois.nic.mil for NIPRNET Information.


It was Network Solutions so I decided to send an email to registered contact for
 that block asking that they correct their DNS entries.

Here is the resulting error reply:



Your message

  To:      mkaras () netsol com
  Cc:      Postmaster () my domain ca
  Subject: Please ensure that you use email hosts with both forward and
reverse DNS entries.
  Sent:    Thu, 10 Aug 2000 17:56:36 -0400

did not reach the following recipient(s):

mkaras () netsol com on Thu, 10 Aug 2000 17:54:31 -0400
    The recipient name is not recognized
     The MTS-ID of the original message is: c=US;a=
;p=netsol;l=?0008102154QLP94K7M
    MSEXCH:IMS:Netsol:US-Herndon-NIC:NETSOL-NIC-EX03 0 (000C05A6) Unknown
Recipient




Message-ID: <85256937.007890A5.00 () my domain ca>
From: Bill_Royds () my domain ca
To: mkaras () netsol com
Cc: Postmaster () my domain ca
Subject: Please ensure that you use email hosts with both forward and reverse
DNS entries.
Date: Thu, 10 Aug 2000 17:56:36 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
X-MS-Embedded-Report:
Content-Type: text/plain;     charset="iso-8859-1"





This morning our Internet email server rejected an attempt to send an email
from an IP in your range that was using a source  address of a host with no DNS
host name.
We have a policy of not accepting email with no valid return address.
Please ensure that you maintain your DNS tables accurately with a forward
DNS entry for rolemail.internic.net.
Here is our sendmail syslog for the connect attempt.

Aug 10 01:01:44 point sendmail[4664]: BAA04664: ruleset=check_mail,
arg1=<invoice () rolemail internic net>, relay=rolemail.internic.net
[216.168.233.54] (may be forged), reject=501 <invoice () rolemail internic net>...
Sender domain must exist

Times are EDT UTC-0400




Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU> on 08/09/2000 15:50:06

Please respond to Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>



 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)



 Subject: Re: dos from .kr,              plus some classic
          .kr irresponsibility






On Tue, 8 Aug 2000, Dan Hollis wrote:


Actually, I have been thinking of writing up an RFC for contact
information (security, spam, etc) stored in reverse dns TXT records.


totally unneeded. people should just keep their NIC records up to freakin
date and actually freakin reply. i'm so !^%$!^%# sick and !#@&^%! tired of
domains that bounce, have people who have left or ignore huge assed
problems, not pissy portscans but serious freakin holes.

once i get back to my desk i'll finish my take on RFP's policy for
bugtraq'ing as i have tweaked it for incident handling.

in the meantime, if you get a collect call from me as a domain admin,
answer the freakin phone, i'm probably telling you something important.

out of patience,

jose nazario                       jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Previous By Date Next
Previous By Thread Next

Current thread: