4 replies to this topic

[Fighter]

I feel nice as I have a fresh set of data I can analyse from my websites, part of my logging mechanism runs gethostbyaddr() on the IP addresses and puts them in a nice sorted list.

My question: Many of them appear as mail.<domainname>.com, would these users be legitimate, or are they spam bots for mail servers?

Some appear to be from ISPs, some from actual websites if that makes more sense.

[Alexander]

An tried and true method of authenticating mail is by setting the reverse host (which is set by the IP block owner, not the DNS) to contain the name of the mailserver's domain.

A simple example is, admin@example.com has sent email from 1.2.3.4. That address must contain a reverse host entry of example.com for the authentication to work, so often broken implementations or ISPs will automatically assign mail.network.com to an IP block to ensure their mail goes unfiltered.

There is nothing saying that 'mail' has to be in the reverse entry, that is why I call it a broken implementation, it could be from an ISP that wishes to bypass some sort of in-place filtering, or set it to default automatically to this. I would not call it malicious, although it is possible that the person is from an unconfigured dedicated server (proxy)

Edited by Alexander, 25 February 2011 - 02:51 AM.
Clarification

[Fighter]

This is quite interesting stuff, I will skim some of the relevant RFCs and keep them in the back of my head, you say that he IP owner can set it to what they want, can it be possibly spoofed?

[Alexander]

Yes, so you should not rely on this feature to validate.

[Fighter]

Thank you for the quick replies Alexander. :) You are being so helpful toniight.