Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

What is with reverse IP addresses returning mail.*?

networking

  • Please log in to reply
4 replies to this topic

#1 Graphene

Graphene

    CC Regular

  • Member
  • PipPipPip
  • 34 posts
  • Learning:C, C++, Python, JavaScript

Posted 25 February 2011 - 01:13 AM

I feel nice as I have a fresh set of data I can analyse from my websites, part of my logging mechanism runs gethostbyaddr() on the IP addresses and puts them in a nice sorted list.

My question: Many of them appear as mail.<domainname>.com, would these users be legitimate, or are they spam bots for mail servers?

Some appear to be from ISPs, some from actual websites if that makes more sense.
  • 0

#2 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 25 February 2011 - 01:30 AM

An tried and true method of authenticating mail is by setting the reverse host (which is set by the IP block owner, not the DNS) to contain the name of the mailserver's domain.

A simple example is, admin@example.com has sent email from 1.2.3.4. That address must contain a reverse host entry of example.com for the authentication to work, so often broken implementations or ISPs will automatically assign mail.network.com to an IP block to ensure their mail goes unfiltered.

There is nothing saying that 'mail' has to be in the reverse entry, that is why I call it a broken implementation, it could be from an ISP that wishes to bypass some sort of in-place filtering, or set it to default automatically to this. I would not call it malicious, although it is possible that the person is from an unconfigured dedicated server (proxy)

Edited by Alexander, 25 February 2011 - 02:51 AM.
Clarification

  • 1

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#3 Graphene

Graphene

    CC Regular

  • Member
  • PipPipPip
  • 34 posts
  • Learning:C, C++, Python, JavaScript

Posted 25 February 2011 - 02:54 AM

This is quite interesting stuff, I will skim some of the relevant RFCs and keep them in the back of my head, you say that he IP owner can set it to what they want, can it be possibly spoofed?
  • 0

#4 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 25 February 2011 - 02:58 AM

Yes, so you should not rely on this feature to validate.
  • 1

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#5 Graphene

Graphene

    CC Regular

  • Member
  • PipPipPip
  • 34 posts
  • Learning:C, C++, Python, JavaScript

Posted 25 February 2011 - 02:59 AM

Thank you for the quick replies Alexander. :) You are being so helpful toniight.
  • 0





Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download