spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mouss <mo...@netoyen.net>
Subject Re: [OT?] rDNS tomfoolery - "localhost"
Date Wed, 08 Oct 2008 19:39:54 GMT
John Hardin a écrit :
> All:
>
> I've recently come across some anomalous behavior in Vista and Win2k3
> when confronted with a host's rDNS returning "localhost". It seems
> Vista and Win2k3 replace this with the local hostname. To illustrate:
>
>    ping -a 123.30.74.2
>
AFAIK, "-a" doesn't change how ping works. the only thing it adds is to
show the PTR. but ping will contact the IP.

> (Note: this isn't new, some searching reveals a blog post about it a
> year ago.)
>
> Is this a recognized spammer tactic to try to take advantage of
> poorly-implemented whitelisting?

if paranoia mode is on, may be. but I doubt it's the case here (setting
the PTR to updates.microsoft.com or the like may be more "effective")


Looks like a zone with a wildcard, and the PTR is set to localhost (a
default value in the tool that generated the zone?).

$ host 123.30.0.0
0.0.30.123.in-addr.arpa domain name pointer localhost.
$ host  123.31.255.255
255.255.31.123.in-addr.arpa domain name pointer localhost.


>
> Does anybody know if this is a known security risk? (e.g. can a
> webserver with rDNS set to "localhost" bypass any IE security features?)
>

While shit has happened too many times, I don't see why a browser would
do PTR lookup when given an IP.

Mime
View raw message