OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: dos from .kr, plus some classic .kr irresponsibility
From: Bill Royds (Bill_RoydsPCH.GC.CA)
Date: Thu Aug 10 2000 - 19:58:56 CDT

Here is a wnderful example of difficulty of contacting administrators of IP
blocks.
I found a log line in our sendmail log this morning indicating an email had
been rejected because the sending host did not have a DNS entry. We use
Sendmails ability to verify authenticity of sending domains to block spam.

Aug 10 01:01:44 point sendmail[4664]: BAA04664: ruleset=check_mail,
  arg1=<invoicerolemail.internic.net>, relay=rolemail.internic.net
  [216.168.233.54] (may be forged), reject=501
  <invoicerolemail.internic.net>... Sender domain must exist

 I thought this was wierd because internic (Network Solutions), of all places,
should have valid DNS entries for their mail servers.
Perhaps it really was a spammer faking the reverse DNS entry to allow the spam
to get in so I looked up the IP address in ARIN whois:
     08/10/00 20:53:50 IP block 216.168.233.54whois.aunic.net
     Trying 216.168.233.54 at ARIN
     Trying 216.168.233 at ARIN
     Network Solutions, Inc. (NETBLK-NSI-NETBLK1)
        505 Huntmar Park Drive
        Herndon, VA 20170
        US

        Netname: NSI-NETBLK1
        Netblock: 216.168.224.0 - 216.168.255.255

        Coordinator:
           Karas, Michael (MK124-ARIN) mkarasnetsol.com
           703-326-2650 (DSN) 295-3304 (DSN) 295-3304

        Domain System inverse mapping provided by:

        NS1.NETSOL.COM 216.168.224.200
        NS2.NETSOL.COM 198.17.208.83
        NS3.NETSOL.COM 216.168.224.201

        Record last updated on 02-May-2000.
        Database last updated on 10-Aug-2000 17:54:58 EDT.

     The ARIN Registration Services Host contains ONLY Internet
     Network Information: Networks, ASN's, and related POC's.
     Please use the whois server at rs.internic.net for DOMAIN related
     Information and whois.nic.mil for NIPRNET Information.

It was Network Solutions so I decided to send an email to registered contact for
 that block asking that they correct their DNS entries.

Here is the resulting error reply:

Your message

  To: mkarasnetsol.com
  Cc: Postmastermy.domain.ca
  Subject: Please ensure that you use email hosts with both forward and
reverse DNS entries.
  Sent: Thu, 10 Aug 2000 17:56:36 -0400

did not reach the following recipient(s):

mkarasnetsol.com on Thu, 10 Aug 2000 17:54:31 -0400
    The recipient name is not recognized
     The MTS-ID of the original message is: c=US;a=
;p=netsol;l=?0008102154QLP94K7M
    MSEXCH:IMS:Netsol:US-Herndon-NIC:NETSOL-NIC-EX03 0 (000C05A6) Unknown
Recipient

Message-ID: <85256937.007890A5.00my.domain.ca>
From: Bill_Roydsmy.domain.ca
To: mkarasnetsol.com
Cc: Postmastermy.domain.ca
Subject: Please ensure that you use email hosts with both forward and reverse
DNS entries.
Date: Thu, 10 Aug 2000 17:56:36 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
X-MS-Embedded-Report:
Content-Type: text/plain; charset="iso-8859-1"

This morning our Internet email server rejected an attempt to send an email
from an IP in your range that was using a source address of a host with no DNS
host name.
We have a policy of not accepting email with no valid return address.
Please ensure that you maintain your DNS tables accurately with a forward
DNS entry for rolemail.internic.net.
Here is our sendmail syslog for the connect attempt.

Aug 10 01:01:44 point sendmail[4664]: BAA04664: ruleset=check_mail,
arg1=<invoicerolemail.internic.net>, relay=rolemail.internic.net
[216.168.233.54] (may be forged), reject=501 <invoicerolemail.internic.net>...
Sender domain must exist

Times are EDT UTC-0400

Jose Nazario <joseBIOCSERVER.BIOC.CWRU.EDU> on 08/09/2000 15:50:06

Please respond to Jose Nazario <joseBIOCSERVER.BIOC.CWRU.EDU>

 To: INCIDENTSSECURITYFOCUS.COM

 cc: (bcc: Bill Royds/HullOttawa/PCH/CA)

 Subject: Re: dos from .kr, plus some classic
          .kr irresponsibility

On Tue, 8 Aug 2000, Dan Hollis wrote:

> Actually, I have been thinking of writing up an RFC for contact
> information (security, spam, etc) stored in reverse dns TXT records.

totally unneeded. people should just keep their NIC records up to freakin
date and actually freakin reply. i'm so !^%$!^%# sick and !#&^%! tired of
domains that bounce, have people who have left or ignore huge assed
problems, not pissy portscans but serious freakin holes.

once i get back to my desk i'll finish my take on RFP's policy for
bugtraq'ing as i have tweaked it for incident handling.

in the meantime, if you get a collect call from me as a domain admin,
answer the freakin phone, i'm probably telling you something important.

out of patience,

jose nazario josebiochemistry.cwru.edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc