On Apr 8, 2004, at 14:41, Wakko Warner wrote:
>> - when spammer controls the rDNS (in-addr.arpa) zone for the IP
>> address from which he is sending you the mail. He will simply create
>> a
>> rDNS entry from his IP address to 'pop.rahul.com', for instance. When
>> you perform a MX lookup of this name, you'll get your own MX.
>
> IIRC, exim does an rDNS lookup then does another DNS lookup on that
> name.
> If the IP of the connecting host isn't listed in the 2nd lookup, the
> rDNS is
> assumed to be spoofed and not used. So this would be a non-issue.
> (Unless
> I misunderstood what you wrote)
Are you talking about Exim's "verify = helo" mechanism (or behaviour in
the case of "helo_verify_hosts = true")? If so, this has no bearing on
this discussion - this was about allow relaying based on the sender's
domain (how this domain would be deducted, was a topic of discussion).
If on the other hand you are saying that the variable $sender_host_name
(which, as you know, is deducted by way of resolving the peer's IP
address) is empty unless the host name can be verified in the forward
direction, then you have a point. However, according to
'spec.txt.gz', this does not seem to be the case.
>> - when a lookup of the remote IP address (correctly) yields
>> "spammer.biz", but the owner of "spammer.biz" adds an MX record to his
>> own domain pointing to "mx.rahul.com".
>
> Oooh =)
There is another potential problem associated with this, albeit a less
likely one. Many installations (mostly Exim 3 installations) allow
relaying to any domain for which the local host is an MX. So a
spammer could add the following MX records to his zone:
@ IN MX 1 mta.victim.domain.
@ IN MX 2 mta.your.domain.
If your MTA was configured to allow relaying to hosts for which you are
an MX, you would happily forward mails to 'mta.victim.domain.'.