RE: educating rDNS violators]

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 09/27/04

  • Next message: Rob Hughes: "Something new in my inbox" 
    To: "'Pat Moffitt'" <pmoffitt@wrv.com>, <security-basics@securityfocus.com>
Date: Mon, 27 Sep 2004 08:24:46 -0700

      At the point that you've got a HELO, the remote system has
    ACK'd your SYN-ACK. So, barring MITM attacks (which are
    difficult to do on the open Internet), there's a > 99.9%
    chance that the remote is reachable via the IP address you're
    seeing. Spoofing rDNS is no harder, and probably easier,
    so I don't see any meaningful sense in which it "verifies
    the IP address".

    David Gillett

    > -----Original Message-----
    > From: Pat Moffitt [mailto:pmoffitt@wrv.com]
    > Sent: Thursday, September 23, 2004 2:19 PM
    > To: security-basics@securityfocus.com
    > Subject: [RE: educating rDNS violators]
    >
    >
    >
    > I am not attempting to verify the HELO Command. I am
    > attempting to verify the
    > IP Address of the system that is trying to make the SMTP
    > connection. As such,
    > this section of the RFC does not apply. I see nothing in
    > this RFC that applies
    > to using RDNS to reject mail connections, only on using RDNS
    > to verify HELO
    > commands.
    >
    > Pat Moffitt
    > MIS Administrator
    > Western Recreational Vehicles, Inc.
    >
    >
    > -------- Original Message --------
    > Subject: RE: educating rDNS violators
    > Date: Tue, 31 Aug 2004 13:35:34 -0400
    > From: LordInfidel@directionweb.com
    > To: 'Derek Schaible' <dschaible@cssiinc.com>, Niek
    > <niek@packetstorm.nu>
    > CC: security-basics@securityfocus.com
    >
    > [snip - to supply the relevent part of the message]
    >
    > 6. Section 5.2.5 of rfc1123 covers this quite explicitly.
    > Rejecting mail
    > based on RDNS ~~~***VIOLATES***~~~ the RFC:
    > http://www.faqs.org/rfcs/rfc1123.html
    >
    > 5.2.5 HELO Command: RFC-821 Section 3.5
    >
    > [snip]
    >
    >

  • Next message: Rob Hughes: "Something new in my inbox"

    Relevant Pages

    • Re: genuine bulk email
      ... several virtual hosts ie we have more than one domain name so the reverse DNS is not clear to me. ... Is the from address inspected for comparison with the RDNS ie if I claim to be sending from xxx.com should my RDNS point back to xxx.com? ... Also it's not so much the header FROM or the envelope FROM, but the HELO string that is checked here. ... When they're booking the roomfor the client they ask if they want to receive an emailed document describing the hotel etc etc so it's not bulk in the sense of database --> email and certainly we're not recording any of the details at all. ...
      (freebsd-questions)
    • Re: Does this mean reverse DNS was not setup?
      ... If you've got mis-matched HELO ... and/or rDNS you'll be blacklisted within a very short time as a spammer. ... Different ASP pages on different domains (web sites, ... Until today that IP was resolving to an ARPA address. ...
      (microsoft.public.win2000.dns)