At 4:45 PM -0500 3/11/02, Stefan Jeglinski imposed structure on a stream of electrons, yielding: >>AFAIK, SIMS does not do a reverse look-up on the connecting IP address. It >>only does a forward look-up on the domain name claimed in the HELO/EHLO >>argument (karabalta.kg in this case). If it resolves to an address that >>matches the connection, then SIMS marks it as 'verified'. That is apparently >>not the case here (since karabalta.kg. resolves to 192.168.0.1 not >>195.38.186.2), so it's unclear to me why SIMS would mark it as verified. That >>would seem to be erroneous. > >Good point. It might appear though, based on this example, that SIMS >does not cross check the A record that is returned against the >connecting IP, only that -some- A record is returned.
No, you missed it. SIMS does no reverse lookup at all. It does a query for an A record for the name claimed by the sender, and sees if it matches the connecting IP. >If true, then SIMS might at least put a check in for obviously bogus >A records (in this example, a private IP) and note such. I think this one is a case of changed DNS. >Or are there hidden issues I'm unaware of? The SOA for karabalta.kg shows a serial number which implies that the zone was changed twice on 2002-03-07. Was that after that spam arrived? >Feature request? Actually, yes. I'd like to see SIMS look at the local blacklist when it checks HELO names and when it verifies return paths. If the HELO name resolves to something blacklisted that isn't the connecting address, that is at least worth a red flag in the Received header. If a return-path domain part is valid but has an MX or A that is blacklisted, the message should probably be rejected. -- Bill Cole [EMAIL PROTECTED] ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
