Re: [Declude.JunkMail] WHITELIST REVDNS

[Bill Landry]

Title: Message

Hmmm, actually, now that I think about it, it can be forged to be whatever the address space owner wants it to be.  For example, if 111.222.111.0 was delegated to me by ARIN or my ISP, I could setup the RDNS for the IP address to resolve however I want them to.  I could have:           111.222.111.1    PTR    yahoo.com.         111.222.111.2    PTR    hotmail.com.         111.222.111.3    PTR    aol.com.   and messages that were sent from these IP addresses would meet the following whitelist requirements and get delivered:       WHITELIST REVDNS ENDSWITH yahoo.com     WHITELIST REVDNS ENDSWITH hotmail.com     WHITELIST REVDNS ENDSWITH aol.com   even though these are not legitimate Yahoo, Hotmail, or AOL IP addresses.  The RDNS test simply looks at the IP address of the connecting server (following the HOP and IPBYPASS setting, of course) and does a reverse lookup on that IP address and the response will come back however the IP address space owner has configured it in their in-addr.arpa zone file for the IP address.   So, even my last post about using "ENDSWITH" instead of "CONTAINS" with RDNS filters is NOT infallible since "ENDSWITH" is NOT secure against being forged.  However, if the RDNS test instead queried for the network instead of the IP address, that would be a much more reliable test since the network owner is registered with ARIN.  For example:   dig mx yahoo.com returns in part: yahoo.com.              5853    IN      MX      1 mx1.mail.yahoo.com. dig mx1.mail.yahoo.com returns: mx1.mail.yahoo.com.     940     IN      A       64.157.4.78 dig -x 64.157.4.78 (full IP address query) returns: 78.4.157.64.in-addr.arpa. 983   IN      PTR     mta-v22.level3.mail.yahoo.com. dig -x 64.157.4. (network query) returns: 4.157.64.in-addr.arpa.  302     IN      SOA     hidden-master.yahoo.com. hostmaster.yahoo-inc.com. ---------- dig mx hotmail.com returns in part: hotmail.com.            2123    IN      MX      5 mx2.hotmail.com. dig mx2.hotmail.com returns in part: mx2.hotmail.com.        2007    IN      A       65.54.252.230 dig -x 65.54.252.230 (full IP address query) returns: 230.252.54.65.in-addr.arpa. 3600 IN     PTR     mc6.law1.hotmail.com. dig -x 65.54.252. (network query) returns: 252.54.65.in-addr.arpa. 3600    IN      SOA     ns1.hotmail.com. dns.hotmail.com. ---------- dig mx aol.com returns in part: aol.com.    2585    IN      MX      15 mailin-03.mx.aol.com. dig mailin-03.mx.aol.com returns in part: mailin-03.mx.aol.com.   156     IN      A       64.12.137.121 dig -x 64.12.137.121 (full IP address query) returns: 121.137.12.64.in-addr.arpa. 3600 IN     PTR     xh.mx.aol.com. dig -x 64.12.137. (network query) returns: 137.12.64.in-addr.arpa. 3600    IN      SOA     dns-01.ns.aol.com. hostmaster.aol.net.   Although again not infallible, if a spammer wanted to forge the RDNS for single IP addresses, the network query could only really respond with one domain in the SOA.  So the "ENDSWITH" filter attribute in RDNS could only be subject to forgery for one domain, not many like the individual IP address queries could.   Thoughts?   Bill ----- Original Message ----- From: Kami Razvan To: [EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 4:30 AM Subject: [Declude.JunkMail] WHITELIST REVDNS Hi;   What would be the drawback for having WHITELIST REVDNS as an option?   Example:   WHITELIST REVDNS ENDSWITH .clickandpledge.com   I think that would be perfect for internal emails and apparently REVDNS can not be faked (or can it?)   Regards, Kami