What would you do about questionable domain pointing A record to your IP address?

Mailman List Mirror (Read Only)
1

All,

We have a rather strange situation (well, strange to me, at least).

We have an email reputation accreditation applicant, who otherwise looks clean, however there is a very strange and somewhat concerning domain being pointed to one of the applicant's IP addresses Let's call the domain example.com, and the IP address 127.0.0.1, for these purposes.

Applicant is assigned 127.0.0.1. the rDNS correctly goes to their own domain.

However, example.com (which in reality is a concerning domain name) claims 127.0.0.1 as their A record.

Of course, example.com is registered privately, and their DNS provider is one who is...umm... "known to provide dns for domains seen in spam."

As I see it, the applicant's options are:

a) just not worry about it and keep an eye on it

b) publish a really tight spf record on it, so if they are somehow compromised, email appearing to come from example.com and 127.0.0.1 should be denied

c) not use the IP address at all (it's part of a substantially larger block)

d) two or more of the above.

Thoughts? What would you do?

Thanks!

Anne

Anne P. Mitchell, Esq.
CEO/President
ISIPP SuretyMail Email Reputation, Accreditation & Certification
Your mail system + SuretyMail accreditation = delivered to their inbox!
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

Author: Section 6 of the Federal CAN-SPAM Act of 2003
Member, California Bar Cyberspace Law Committee
Ret. Professor of Law, Lincoln Law School of San Jose
303-731-2121 | amitchell@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell

2

Hi,

All,

We have a rather strange situation (well, strange to me, at least).

We have an email reputation accreditation applicant, who otherwise looks clean, however there is a very strange and somewhat concerning domain being pointed to one of the applicant's IP addresses Let's call the domain example.com, and the IP address 127.0.0.1, for these purposes.

Applicant is assigned 127.0.0.1. the rDNS correctly goes to their own domain.

However, example.com (which in reality is a concerning domain name) claims 127.0.0.1 as their A record.

I don't think having an A record in the DNS is really a "claim". Let's
say I want to send mail to company.example.com but I don't like them
so much so I set up companySUCKS.foo.example.com pointing at their
mail server either through an A record or a CNAME... Then, I believe,
inside my mail, the mail could appear to be to
person@companySUCKS.foo.example.com if it wasn't blocked by some
security mechanism. Perhaps this is protected speech or, with a few
changes, a parody or something.

See Section 4.1.3 "You Can't Control What Names Point At You" in my
RFC http://tools.ietf.org/html/rfc3675

A somewhat similar thing is in Section 4.1.4.1 of that RFC where I was
on social mailing list with an innocuous name and someone had long set
up a forwarder so that if you sent email to
cat-torturers@other.example (real left hand side, obviously not the
real right hand side). It would get sent to the social mailing list
and the that address would appear in the "to:" line inside the mail.
For that particular crowd, most people thought this was pretty funny,
but it is the same sort of thing.

Of course, example.com is registered privately, and their DNS provider is one who is...umm... "known to provide dns for domains seen in spam."

As I see it, the applicant's options are:

a) just not worry about it and keep an eye on it

b) publish a really tight spf record on it, so if they are somehow compromised, email appearing to come from example.com and 127.0.0.1 should be denied

c) not use the IP address at all (it's part of a substantially larger block)

d) two or more of the above.

Thoughts? What would you do?

If it isn't actually causing a problem, a) seems viable but you could
certainly do b) or c) or both if you feel like it.

Anyway, I'm not a lawyer... :slight_smile:

Donald

3

a) just not worry about it and keep an eye on it

If they have held the netblock for awhile and are already using the IP Address in question, this is fine. I presume that the servers don't actually respond for that domain (name-based web or domain based acceptance on a mail server).

b) publish a really tight spf record on it, so if they are somehow compromised, email appearing to come from example.com and 127.0.0.1 should be denied

You must control a domain to control its SPF. This is not an option if they don't control the bad domain. DKIM or similar might be the more appropriate protocol? SPF protects domains, some of the other protocols protect the mail servers themselves.

c) not use the IP address at all (it's part of a substantially larger block)

If it's a recently acquired netblock, then it may have a bad reputation due to prior use. Investigating the reputation and possibly avoiding that particular IP Address might be warranted.

Jack

4

Howdy,

How does 127.0.0.1 behave when you access it and declare yourself to
be seeking example.com? If it's a mail server, what happens when you
try to mail postmaster@examplecompany.com? Do you get a no-relaying
message or one of the other errors appropriate to a server not
configured to handle mail for example.com? If it's a web server, what
happens when your browser asks for Host: www.example,com? Do you get
example.com's web page?

Also check 3rd party databases to the extent possible. Can you find
examples of dastardly example.com activity from 127.0.0.1 during a
time the whois records say applicant had control of 127.0.0.1?

You get the general idea. Check for things you know to be under the
applicant's control. If they come up clean, they're clean. If they're
dirty and they're sloppy enough to not clean up the example.com DNS
zone file then they'll be sloppy elsewhere too.

Regards,
Bill Herrin

5

Thank you, everyone, for all of the responses, both on and offlist!

Anne

Anne P. Mitchell, Esq.
CEO/President
ISIPP SuretyMail Email Reputation, Accreditation & Certification
Your mail system + SuretyMail accreditation = delivered to their inbox!
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

Author: Section 6 of the Federal CAN-SPAM Act of 2003
Member, California Bar Cyberspace Law Committee
Ret. Professor of Law, Lincoln Law School of San Jose
303-731-2121 | amitchell@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell