Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

DNS poisoning or ??

From: "Bill Stout" <bill.stout () greenborder com>
Date: Sat, 27 Jan 2007 12:49:38 -0800
Hello,

I'm working through an intermittent incoming email bounce problem I hope
someone can shed some light on.  Over the last week, a few major
companies are reporting intermittent bounces when sending email to us
(maybe 5% of the time).  When they do an MX lookup they occasionally
obtain a fake hostname and IP address.  In their email body the response
looks like this:

  ... connect to mail.greenborder.com [216.52.7.214]: Connection timed
out ...

I do not have a host named 'mail.greenborder.com' in my DNS records.
The IP address is not a mail server, it's an Internap address.
http://www.dnsstuff.com/tools/whois.ch?ip=216.52.7.214

I'm suspecting DNS cache poisoning, but it's happening at remote sites
and I don't have much data go on.  Since these are larger companies I
don't expect they have vulnerable DNS servers.

My MX records are here:
http://www.dnsstuff.com/tools/lookup.ch?name=greenborder.com&type=MX
(Temporarily modified for troubleshooting purposes)

greenborder.com. MX IN 7200 USC1.MAILHOSTSXODE.NET. [Preference = 10] 
greenborder.com. MX IN 7200 MAILGATE.greenborder.com. [Preference = 1] 
greenborder.com. MX IN 7200 USP1.MAILHOSTSXODE.NET. [Preference = 5] 
greenborder.com. NS IN 7200 NS31.WORLDNIC.com. 
greenborder.com. NS IN 7200 NS32.WORLDNIC.com. 
MAILGATE.greenborder.com. A IN 7200 66.123.15.52

Our DNS records are hosted by Network Solutions, so I called them
looking for help from one of their security experts.  Of course Customer
Support answers, and their guys are _absolutely clueless_ on how DNS
works.  When I mention bounces due to MX record lookups they keep
referring me to 'the provider who hosts my email service', apparently
reading from a flowchart script, and speaking in a fake American accent.
When I mention MX records are DNS records, they say 'you have exceeded
the ability of customer support, we need to forward this to
engineering'.  I told them it was urgent, to escalate to security, and
asked for someone in their security team to call me.  I'm not expecting
much help from Network Solutions, I think all they do is produce banner
ads and ask you to buy something each time you talk to them.

Any knowledgeable help would be appreciated.

Thanks in advance,

Bill Stout
GreenBorder
Previous By Date Next
Previous By Thread Next

Current thread: