On 03/11/02 at 12:04, Stefan Jeglinski wrote:
> Here is a header for some spam I got:
>
> >Return-Path: [EMAIL PROTECTED]
> >Received: from karabalta.kg ([195.38.186.2] verified) by mx.4pi.com
> >(Stalker SMTP Server 1.8b9d3) with ESMTP id
>
>
> But, an A-record lookup on karabalta.kg yields 192.168.0.1. IOW, they
> are either deliberately obfuscating this, or are simply stupid with
> their DNS.
>
> Enough looking around shows that 195.38.186.2 is ns.karabalta.kg. How
> does SIMS do this again? I thought it did a reverse lookup on the IP,
> then if it gets a PTR record, it checks the PTR result to see if
> there is a matching A record. Only then does it mark it as verified.
> But in this case, there is no PTR record for 195.38.186.2, AFAICT.
AFAIK, SIMS does not do a reverse look-up on the connecting IP address. It
only does a forward look-up on the domain name claimed in the HELO/EHLO
argument (karabalta.kg in this case). If it resolves to an address that
matches the connection, then SIMS marks it as 'verified'. That is apparently
not the case here (since karabalta.kg. resolves to 192.168.0.1 not
195.38.186.2), so it's unclear to me why SIMS would mark it as verified. That
would seem to be erroneous.
--
Christopher Bort | [EMAIL PROTECTED]
Webmaster, Global Homes | [EMAIL PROTECTED]
<http://www.globalhomes.com/> | PGP public key available on request
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
