-----Original Message-----
From: token [mailto:chip.gwyn@gmail.com]
Sent: Thursday, August 26, 2004 12:30 AM
To: security-basics@securityfocus.com
Subject: Re: educating rDNS violators
Quick little note on what is actually happening in the above scenario.
The e-mail server makes and SMTP connection to send the mail. The
receiving server does a lookup for reverse dns on the ip address. It
gets mail.mydomain.com, next the receiving SMTP looks for IP address
for mail.mydomain.com and then makes sure the IP's match. If so, it
delivers, if not, it rejects. This works with cluster type mail
servers as well.
--chip
So with TWO requests to DNS, you've found out what ONE told you -- that
the IP address that is connecting to you *has* an rDNS entry somewhere.
I could be a compromised cable-modem user whose ISP has put in a
complete set of bogus-IP1-IP2-IP3-IP4-cablemodem-mumblemumble.isp.com
rDNS entries for their entire address space, and, sure enough, every single
one of them matches forwards and backwards without telling you ANYTHING
about whether this box should be talking directly to your SMTP server.
Confirming that the IP address has an rDNS entry is of very limited
utility.
Confirming that it returns a name that forward-resolves to that address adds
absolutely none at all.
David Gillett
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
