> The owner of a domain need not authorize a reverse DNS PTR 

Indeed.  Which is why I wrote: "...matches the forward lookup of the
resulting address at PayPal"

e.g. 

The IP address of the MTA in question is [206.165.246.83]

nslookup 206.165.246.83 -> Name: email-83.paypal.com

nslookup email-83.paypal.com -> Address: 206.165.246.83

And also why I wrote "Therefore, PayPal is deliberately allowing that
reverse IP in someone else's netblock."

I meant "allowing" in a business procedures sense, not in a technical
sense of DNS being delegated.  If I had written "agreeing with" or
"collaborating with" it would have been clearer.

Andrew 8)


> -----Original Message-----
> From: Message Sniffer Community 
> [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - 
> Handy Networks LLC
> Sent: Wednesday, May 24, 2006 9:51 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> The owner of a domain need not authorize a reverse DNS PTR 
> record in any way, shape or form.  If the netblock was owned, 
> or the netblock owner had delegated rDNS to a malicious 
> customer, they could easily set rDNS to whatever they wanted. 
>  Aol.com, paypal.com, ebay.com, chase.com ...
> 
> -Jay
> -----Original Message-----
> From: Message Sniffer Community 
> [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 12:38 PM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS 
> which ends in PayPal.com (ok, that does set off alarm bells 
> when it's someone else's
> netblock) matches the forward lookup of the resulting address 
> at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in 
> someone else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -----Original Message-----
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> > 
> > Attached are the headers to an e-mail I am suspecting as a clever 
> > phising that has me worried.
> > 
> > It looks like a legit message sent on behalf of Paypal, 
> however, it is 
> > sent from an IP address not owned by Paypal BUT which has a REVDNS 
> > that ends in paypal.com.
> > 
> > The message is full of links to images.postdirect.com but does have 
> > legit links to paypal.com.
> > 
> > John T
> > eServices For You
> > 
> > "Seek, and ye shall find!"
> > 
> > 
> 
> 
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <sniffer@sortmonster.com>.
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To 
> switch to the DIGEST mode, E-mail to 
> <[EMAIL PROTECTED]> To switch to the INDEX mode, 
> E-mail to <[EMAIL PROTECTED]> Send administrative 
> queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> 
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <sniffer@sortmonster.com>.
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To 
> switch to the DIGEST mode, E-mail to 
> <[EMAIL PROTECTED]> To switch to the INDEX mode, 
> E-mail to <[EMAIL PROTECTED]> Send administrative 
> queries to  <[EMAIL PROTECTED]>
> 
> 


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Reply via email to