What would you do about questionable domain pointing A record to your IP address?
All, We have a rather strange situation (well, strange to me, at least). We have an email reputation accreditation applicant, who otherwise looks clean, however there is a very strange and somewhat concerning domain being pointed to one of the applicant's IP addresses Let's call the domain example.com, and the IP address 127.0.0.1, for these purposes. Applicant is assigned 127.0.0.1. the rDNS correctly goes to their own domain. However, example.com (which in reality is a concerning domain name) claims 127.0.0.1 as their A record. Of course, example.com is registered privately, and their DNS provider is one who is...umm... "known to provide dns for domains seen in spam." As I see it, the applicant's options are: a) just not worry about it and keep an eye on it b) publish a really tight spf record on it, so if they are somehow compromised, email appearing to come from example.com and 127.0.0.1 should be denied c) not use the IP address at all (it's part of a substantially larger block) d) two or more of the above. Thoughts? What would you do? Thanks! Anne Anne P. Mitchell, Esq. CEO/President ISIPP SuretyMail Email Reputation, Accreditation & Certification Your mail system + SuretyMail accreditation = delivered to their inbox! http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Author: Section 6 of the Federal CAN-SPAM Act of 2003 Member, California Bar Cyberspace Law Committee Ret. Professor of Law, Lincoln Law School of San Jose 303-731-2121 | amitchell@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell
Hi, On Fri, Feb 20, 2015 at 12:08 PM, Anne P. Mitchell, Esq. <amitchell@isipp.com> wrote:
All,
We have a rather strange situation (well, strange to me, at least).
We have an email reputation accreditation applicant, who otherwise looks clean, however there is a very strange and somewhat concerning domain being pointed to one of the applicant's IP addresses Let's call the domain example.com, and the IP address 127.0.0.1, for these purposes.
Applicant is assigned 127.0.0.1. the rDNS correctly goes to their own domain.
However, example.com (which in reality is a concerning domain name) claims 127.0.0.1 as their A record.
I don't think having an A record in the DNS is really a "claim". Let's say I want to send mail to company.example.com but I don't like them so much so I set up companySUCKS.foo.example.com pointing at their mail server either through an A record or a CNAME... Then, I believe, inside my mail, the mail could appear to be to person@companySUCKS.foo.example.com if it wasn't blocked by some security mechanism. Perhaps this is protected speech or, with a few changes, a parody or something. See Section 4.1.3 "You Can't Control What Names Point At You" in my RFC http://tools.ietf.org/html/rfc3675 A somewhat similar thing is in Section 4.1.4.1 of that RFC where I was on social mailing list with an innocuous name and someone had long set up a forwarder so that if you sent email to cat-torturers@other.example (real left hand side, obviously not the real right hand side). It would get sent to the social mailing list and the that address would appear in the "to:" line inside the mail. For that particular crowd, most people thought this was pretty funny, but it is the same sort of thing.
Of course, example.com is registered privately, and their DNS provider is one who is...umm... "known to provide dns for domains seen in spam."
As I see it, the applicant's options are:
a) just not worry about it and keep an eye on it
b) publish a really tight spf record on it, so if they are somehow compromised, email appearing to come from example.com and 127.0.0.1 should be denied
c) not use the IP address at all (it's part of a substantially larger block)
d) two or more of the above.
Thoughts? What would you do?
If it isn't actually causing a problem, a) seems viable but you could certainly do b) or c) or both if you feel like it. Anyway, I'm not a lawyer... :-) Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com
Thanks!
Anne
Anne P. Mitchell, Esq. CEO/President ISIPP SuretyMail Email Reputation, Accreditation & Certification Your mail system + SuretyMail accreditation = delivered to their inbox! http://www.SuretyMail.com/ http://www.SuretyMail.eu/
Author: Section 6 of the Federal CAN-SPAM Act of 2003 Member, California Bar Cyberspace Law Committee Ret. Professor of Law, Lincoln Law School of San Jose 303-731-2121 | amitchell@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell
On 2/20/2015 11:08 AM, Anne P. Mitchell, Esq. wrote:
a) just not worry about it and keep an eye on it If they have held the netblock for awhile and are already using the IP Address in question, this is fine. I presume that the servers don't actually respond for that domain (name-based web or domain based acceptance on a mail server).
b) publish a really tight spf record on it, so if they are somehow compromised, email appearing to come from example.com and 127.0.0.1 should be denied You must control a domain to control its SPF. This is not an option if they don't control the bad domain. DKIM or similar might be the more appropriate protocol? SPF protects domains, some of the other protocols protect the mail servers themselves.
c) not use the IP address at all (it's part of a substantially larger block)
If it's a recently acquired netblock, then it may have a bad reputation due to prior use. Investigating the reputation and possibly avoiding that particular IP Address might be warranted. Jack
On Fri, Feb 20, 2015 at 12:08 PM, Anne P. Mitchell, Esq. <amitchell@isipp.com> wrote:
We have an email reputation accreditation applicant, who otherwise looks clean, however there is a very strange and somewhat concerning domain being pointed to one of the applicant's IP addresses Let's call the domain example.com, and the IP address 127.0.0.1, for these purposes.
Applicant is assigned 127.0.0.1. the rDNS correctly goes to their own domain.
However, example.com (which in reality is a concerning domain name) claims 127.0.0.1 as their A record.
Howdy, How does 127.0.0.1 behave when you access it and declare yourself to be seeking example.com? If it's a mail server, what happens when you try to mail postmaster@examplecompany.com? Do you get a no-relaying message or one of the other errors appropriate to a server not configured to handle mail for example.com? If it's a web server, what happens when your browser asks for Host: www.example,com? Do you get example.com's web page? Also check 3rd party databases to the extent possible. Can you find examples of dastardly example.com activity from 127.0.0.1 during a time the whois records say applicant had control of 127.0.0.1? You get the general idea. Check for things you know to be under the applicant's control. If they come up clean, they're clean. If they're dirty and they're sloppy enough to not clean up the example.com DNS zone file then they'll be sloppy elsewhere too. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Thank you, everyone, for all of the responses, both on and offlist! Anne Anne P. Mitchell, Esq. CEO/President ISIPP SuretyMail Email Reputation, Accreditation & Certification Your mail system + SuretyMail accreditation = delivered to their inbox! http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Author: Section 6 of the Federal CAN-SPAM Act of 2003 Member, California Bar Cyberspace Law Committee Ret. Professor of Law, Lincoln Law School of San Jose 303-731-2121 | amitchell@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell
participants (4)
-
Anne P. Mitchell, Esq. -
Donald Eastlake -
Jack Bates -
William Herrin