[Mimedefang] Get (may be forged) with mail from list

Jeffrey Goldberg jeffrey at goldmark.org
Thu Jul 10 00:50:01 EDT 2003 

[cc'ed to roaringpenguin DNS contact address]

On Wed, 9 Jul 2003, G. Roderick Singleton wrote:

> I have noticed that email from the list are often tagged with (may be
> forged)
>
> Received: from www.roaringpenguin.com (roaringpenguin.com [216.191.236.23]
>            (may be forged)) [...]

The connecting IP address is 216.191.236.23.  When you do a reverse DNS
lookup on that you get:

  roaringpenguin.com

But when you lookup

  roaringpenguin.com

you get nothing.

Now suppose I am a bad guy and I have authority over, say, 216.191.236.*.
I could set up my namesever for that netspace to give something like

   216.191.236.1  ->  payments.amazon.com

I could do that without Amazon's knowledge or permission and there is
nothing they could do to stop me.

But suppose your system knows that this kind of thing may happen.  So when
it looks up

   216.191.236.1

and gets

  payments.amazon.com

It then goes and looks up

  payments.amazon.com

And that lookup will query a system controlled by Amazon.com.  If
Amazon.com's nameserver say's "I've never heard of that" or gives some
IP address other than 216.191.236.1 as an answer, it is good to be
sceptical of the "payments.amazon.com" name.  That is what your sendmail
is doing in this case.  It's saying that the owner of the relevant spread
of IP addresses says that this machine is "roaringpenguin.com", but when I
ask the system that should know about such addresses, it says "I've never
heard of them."

Imagine if someone, Sam Smith, came to your house with an ID card from the
gas company. You call up the gas company to verify that Sam Smith works
for the gas company and they that they don't know any Sam Smith.

>  Is this deliberate or an artifact of DNS setup?

It means that DFS (David Skoll, I presume) at roaringpenguin.com made a
common boo-boo. It can be fixed by adding an A record or a CNAME for
roaringpenguin.com that points (directly or indirectly) to

 216.191.236.23

Alternatively DFS can change the PTR record for 216.191.236.23 to go to
some name which already does resolve make to that number.

The error is common enough that I would never reject mail based on it, but
it is something David should fix.  Note that some common configurations of
some services (ftp, pop3) do reject connections on this basis.

-j

-- 
Jeffrey Goldberg                            http://www.goldmark.org/jeff/
 Relativism is the triumph of authority over truth, convention over justice
 Hate spam?  Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/

More information about the MIMEDefang mailing list