Security Basics mailing list archives

Re: DNSs, MXs and RBLs....

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 21 Mar 2008 00:23:30 +0100

On 2008-03-20 Santiago Barahona wrote:

Once upon a time, there were two companies that created one new entity
(let's say 50-50)... one of them provides the IT infrastructure and
the other "the name" (i guess): it is company A's mail servers, and
company B's domain name...


So B provides DNS services for A. That's perfectly fine.

Since the new users will be in company A's infrastructure, their
mailboxes will be hosted in company A's mail servers... but the domain
name will be controlled and hosted by company B... to do this someone
has suggested to company B to modify their DNS entries to point to
company A's domain name....


Ummm... what? If B is provide DNS for A they already host the domain
name of A themselves. Why would they want to point anywhere else?

So when a MTA tries to reach user () newco com, it will find in Company
B's DNS that it points out to companyA.com, then it will go ask a DNS
who is companyA.com and deliver the mail... (tell me if I'm wrong)...


You are. The sending MTA will query one of B's nameservers for the MX
record(s) of A's domain and then send to that host. See [1] for more
detailed information on how DNS works.

At first glance it looked OK but then it started to cause me trouble
when I thought about the case when the users of this domain start
sending mails because I think that company A's mail servers risk of
being "black listed" by some RBLs... if this happens not only the
users of the new entity will be percieved by spam but all users that
use those servers...


Well, if A's server for outbound mail makes it on some DNSBL, mail
servers employing that DNSBL will reject mail from A's server, yes.
That's how DNSBLs work. See [2].

Any light??... is it possible to get blacklisted this way??...


Possible? Yes. Likely? That depends. Why do you think you might be at
risk of being blacklisted?

do you have any suggestions on how to avoid the risk??


Don't send out spam in the first place. Having separate mail servers for
A and the new entity will leave one operational in case the other gets
blacklisted.

[1] http://en.wikipedia.org/wiki/Domain_Name_System
[2] http://en.wikipedia.org/wiki/DNSBL

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Current thread:

DNSs, MXs and RBLs.... Santiago Barahona (Mar 20)
- Re: DNSs, MXs and RBLs.... Ansgar -59cobalt- Wiechers (Mar 21)
- Re: DNSs, MXs and RBLs.... Ned Fleming (Mar 21)
  - Re: DNSs, MXs and RBLs.... Santiago Barahona (Mar 24)
    - Re: DNSs, MXs and RBLs.... Ansgar -59cobalt- Wiechers (Mar 24)
    - Re: DNSs, MXs and RBLs.... Santiago Barahona (Mar 26)
    - Message not available
    - Re: DNSs, MXs and RBLs.... Ansgar -59cobalt- Wiechers (Mar 26)