[GRLUG] SMTP reverse DNS validation

Dave Chiodo megadave at gmail.com
Thu Apr 23 12:30:25 EDT 2015


Forgot to complete the verification sequence:





*The verification starts with getting the PTR for the IP address.Then,
looking up A records for whatever name(s) are returned from thePTR record.*

The "A" record that comes back should match the IP address that you started
with.

Eg, If you get a connection from 1.2.3.4, and the PTR record says that is "
bighost.com", but then you look up bighost.com its at "6.7.8.9", it appears
someone is trying to pretend to be bighost.com.

On Thu, Apr 23, 2015 at 12:28 PM, Dave Chiodo <megadave at gmail.com> wrote:

> Its less about what the MX record, that it is about whatever server
> the SMTP connection is originating from. (Some email services use one
> set of servers as MX for receiving INbound mail, and a completely
> different set of servers for sending OUTbound mail)
>
> The verification starts with getting the PTR for the IP address.
>
> Then, looking up A records for whatever name(s) are returned from the
> PTR record.
>
> In this case, NEITHER of the names given for the PTR record have an A
> record.
>
> The one missing the ".com" is of course invalid, and there is NO A
> record for the other:
>
> $ dig 67-221-227-25.xiolink.com
>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10651
>
> On Thu, Apr 23, 2015 at 12:14 PM, L. V. Lammert <lvl at omnitec.net> wrote:
> > On Thu, 23 Apr 2015, Mark Farver wrote:
> >
> >> Not sure what you are saying...did you get more than one result to a PTR
> >> lookup?  Can you paste dig output displaying the condition?
> >>
> > MX
> > crownpack.com.          2841    IN      MX      10
> cpbsvf01.crownpack.com.
> >
> > ;; ADDITIONAL SECTION:
> > cpbsvf01.crownpack.com. 2841    IN      A       67.221.227.25
> >
> > ;; ANSWER SECTION:
> > 25.227.221.67.in-addr.arpa. 3600 IN  PTR     cpbsvf01.crownpack.
> > 25.227.221.67.in-addr.arpa. 3600 IN  PTR     67-221-227-25.xiolink.com.
> >
> >> Requiring anything beyond the existence of a PTR record on an incoming
> >> message is problematic.  You can certainly give positive score to a
> machine
> >> with valid and identical forward and reverse records but many legitimate
> >> senders will not have that.
> >>
> > They may be a legitimate sender, .. but an invalid reverse DNS PTR does
> > indicate they may *not* be legitimate and our email servers are
> configured
> > to reject.
> >
> > The problem is that MXToobox only checks for the existance of a PTR
> record
> > and does not match the hostname. I have since found a way to accurately
> > show the discrepancy: http://www.debouncer.com/reverse-dns-check
> >
> >         TFTR!
> >
> >         Lee
> > _______________________________________________
> > grlug mailing list
> > grlug at grlug.org
> > http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> > _______________________________________________
> > grlug mailing list
> > grlug at grlug.org
> > http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shinobu.grlug.org/pipermail/grlug/attachments/20150423/03d96833/attachment.html>


More information about the grlug mailing list