RE: email address "spoofed"

• Previous message: Michael Bellears: "RE: Dos Attack"
• Maybe in reply to: Tim Laureska: "email address "spoofed""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <ald2003@users.sourceforge.net>, "'security-basics'" <security-basics@securityfocus.com>
Date: Mon, 15 Mar 2004 08:17:05 -0800

> > A great many ISPs who hand out addresses via DHCP maintain a
> > set of generic reverse-DNS entries for their scopes. On the one
> > hand, this greatly diminishes the value of this lookup as an
> > anti-spam measure; on the other hand, it avoids the particular
> > problem you describe.
>
> the problem is that my address when forward resolved is
> different from reverse resolution.

  So is mine. So is virtually everyone's that I know. The servers
that I'm aware of that perform this check don't look for a *match* --
all they care about is that there is a response that they can include
in the Received: header line. No response, and the message gets bounced.
 
> > A more effective measure employed by several ISPs is to block
> > outbound SMTP at their borders, except for their own officially
> > sanctioned email server(s). This cuts the propagation of viruses
> > with their own SMTP engine, and use of spam-sending packages with
> > their own, to virtually nil, and if they don't turn on the reverse
> > check, they can probably (*safely*) avoid setting up reverse
> > records for their DHCP scopes.
>
> this would work only if the isp allowed any and every email
> from any domain to pass through, that is why i run myy own
> mail server with the A and MX recored pointing to my smtp
> server address

  My current ISP, and the one before, both have allowed me to send
email with a variety of "foreign" return addresses, as necessary.
The one before that was spammer-friendly, and didn't care. Again,
it's not a match that's needed, just a block that breaks most spammer
tools and email worms.
 
> > If your ISP allows arbitrary port 25 traffic to the world, but
> > won't set up reverse ranges on its DNS servers, maybe you should
> > evaluate some of their competitors....
>
> ther competitors are worse, atleast this one has a very
> responcive help desk and good people at the phone and not
> some script monkeys, one call is what it takes to resolve any
> complicated matter.

  So why don't they seem to have a clue about this? I guess that
if their competition is even worse, you're stuck. Sorry to hear it.

Dave Gillett

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Michael Bellears: "RE: Dos Attack"
• Maybe in reply to: Tim Laureska: "email address "spoofed""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]