> The owner of a domain need not authorize a reverse DNS PTR Indeed. Which is why I wrote: "...matches the forward lookup of the resulting address at PayPal"
e.g. The IP address of the MTA in question is [206.165.246.83] nslookup 206.165.246.83 -> Name: email-83.paypal.com nslookup email-83.paypal.com -> Address: 206.165.246.83 And also why I wrote "Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock." I meant "allowing" in a business procedures sense, not in a technical sense of DNS being delegated. If I had written "agreeing with" or "collaborating with" it would have been clearer. Andrew 8) > -----Original Message----- > From: Message Sniffer Community > [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - > Handy Networks LLC > Sent: Wednesday, May 24, 2006 9:51 AM > To: Message Sniffer Community > Subject: Re: [sniffer]Possible Paypal Phishing > > The owner of a domain need not authorize a reverse DNS PTR > record in any way, shape or form. If the netblock was owned, > or the netblock owner had delegated rDNS to a malicious > customer, they could easily set rDNS to whatever they wanted. > Aol.com, paypal.com, ebay.com, chase.com ... > > -Jay > -----Original Message----- > From: Message Sniffer Community > [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew > Sent: Wednesday, May 24, 2006 12:38 PM > To: Message Sniffer Community > Subject: Re: [sniffer]Possible Paypal Phishing > > It's really from PostDirect.com aka YesMail.com ... > > You can tell that it's authorized because the reverse DNS > which ends in PayPal.com (ok, that does set off alarm bells > when it's someone else's > netblock) matches the forward lookup of the resulting address > at PayPal. > > Therefore, PayPal is deliberately allowing that reverse IP in > someone else's netblock. > > That, or both the netblock and PayPal's DNS have been p0wned. > > Andrew 8) > > > > > -----Original Message----- > > From: Message Sniffer Community > > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > > Sent: Wednesday, May 24, 2006 9:31 AM > > To: Message Sniffer Community > > Subject: [sniffer]Possible Paypal Phishing > > > > Attached are the headers to an e-mail I am suspecting as a clever > > phising that has me worried. > > > > It looks like a legit message sent on behalf of Paypal, > however, it is > > sent from an IP address not owned by Paypal BUT which has a REVDNS > > that ends in paypal.com. > > > > The message is full of links to images.postdirect.com but does have > > legit links to paypal.com. > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[email protected]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To > switch to the DIGEST mode, E-mail to > <[EMAIL PROTECTED]> To switch to the INDEX mode, > E-mail to <[EMAIL PROTECTED]> Send administrative > queries to <[EMAIL PROTECTED]> > > > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[email protected]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To > switch to the DIGEST mode, E-mail to > <[EMAIL PROTECTED]> To switch to the INDEX mode, > E-mail to <[EMAIL PROTECTED]> Send administrative > queries to <[EMAIL PROTECTED]> > > ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
