ietf-asrg
[Top] [All Lists]

Re: [Asrg] Wierd reverse DNS resolution might affect spam filters

2006-06-23 09:52:18
On Fri, 2006-06-23 at 09:01 -0700, Douglas Campbell wrote:
Just noticed something really strange show up in my milter logs:

2006-06-23 08:15:09.589901-07:00 [mx]
connect(821,localhost,[222.252.168.54]) 1
2006-06-23 08:15:09.968668-07:00 [mx]
helo(821,2g4i9a.oq4ihijo.comcast.net,invalid)
2006-06-23 08:15:10.453522-07:00 [mx]
envfrom(821,argv[0]=<kayepenn9v(_at_)gardener(_dot_)com>)
2006-06-23 08:15:10.489847-07:00 [mx]
envrcpt(821,argv[0]=<uucp(_at_)pixelprocessor(_dot_)us>)
2006-06-23 08:15:10.829801-07:00 [mx]
header(821,Message-ID,<53327639439490(_dot_)8D11BD6FB3(_at_)OQTQ>)
2006-06-23 08:15:10.869782-07:00 [mx] header(821,From,"Wilda"
<RuthieLevyex(_at_)cliffhanger(_dot_)com>)
2006-06-23 08:15:10.909778-07:00 [mx] 
header(821,To,<uucp(_at_)pixelprocessor(_dot_)us>)
2006-06-23 08:15:10.949778-07:00 [mx] header(821,Subject,Hottest new offer
Diplomas Without Exams)
...

Notice the "connect" line -- it appears that reverse DNS is resolving the
offered IP address to "localhost".  samspade.org also reverse DNS's the ip
address to "localhost".  In fact, a sampling of the entire address block
containing the IP address (222.252.0.0/16) indicates that ALL the hosts in
the block are "localhost".  It might be a misconfiguration by Vietnam
Posts and Telecommunications Corp (the owner of the netblock), or a
deliberate configuration.

In any case, spam detectors who rely on "localhost" as the reverse lookup
for an IP address as a condition of passing the e-mail are at risk of
producing false negatives.

Some years ago a colleague told me that some resolvers, when doing rDNS
lookup with then perform a forward lookup of the hostname, to check that
the A records for the name contain the IP address with which you
started.

Does anyone know if this is true (if so, which)?

If not true, perhaps it is something which SMTP servers should do
themselves, before using the rDNS name for authorization.

A mismatch in the round-trip rDNS->DNS would be a sign of a suspicious
host, as well.

Can anyone foresee an issue with this?

cheers

David Wilson 


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg