Unfortunately, many companies don't have their DNS records completly configured. Many smaller ISP's also have neglected their DNS.
When many people set up their domains for e-mail they generally stop at the A and MX records. The PTR, or reverse look-up record, generally gets overlooked. The A record helps you find a system's IP address from a name. For instance, if you wanted to visit Intel's web site, your computer will consult DNS for the A record for www.intel.com. Querying DNS tells us the address is 198.175.96.33. Your computer will go to that address when you browse to www.intel.com.
The MX record tells us which addresses handle e-mail for a particular domain. When you want to send an e-mail to someone at Intel, your e-mail server queries DNS for the Intel's MX records. Intel's MX records are mga01.intel.com, mga02.intel.com, and mga03.intel.com. This means all three of those servers are capable of validly accepting mail for the intel.com domain. Your e-mail server looke up the A records associated with these MX records and then has addresses it can send your e-mail to.
The PTR record operates opposite of the A record. Where, with the A record you have the fully-qualified domain name of a computer and want the IP address, with the PTR record you have the IP address and want to know the fully-qualified domain name.
Reverse DNS allows you to use this PTR record to confirm whether an e-mail server is what it claims to be. Say a spammer sends you an e-mail that claims to be from someone at Intel. Your e-mail server could theoretically look at the IP address of the computer it receives the e-mail message from and through the PTR record, determine that the sender of the spam isn't really one of Intel's mail servers. The FQDN the spammers PTR record would point to (if it was even configures) would tell your server the sender's IP address didn't even belong to a server in Intel's domain.
One of the problems here is sometimes e-mail servers handle e-mail for several domains. I have a client that manufactures a number of different products. They have domain names for several of these products and receive mail on each of these domains. Having a server for each of these domains would be rather expensive — especially given traffic for each of these domains is relatively low. So, e-mail from most of their domains would come from an e-mail server whose A and PTR records would indicate a different domain name.
The way AOL seems to implement reverse DNS lookups gets around this problem. Their implementation isn't all that strict: all that's required is a fully-qualified domain name. However, because AOL does this, a number of companies have spotty reliability when sending e-mail to AOL. Their PTR records just aren't configured properly. AOL is big enought to get away with it. At this point, because the lack of PTR configuration is so common, none of my clients would be able to do this. As soon as a client started having their e-mails blocked because their e-mail administrator never configured a PTR record I would have to stop using reverse DNS checks. When AT&T Worldnet tried to implement it in 2003 they got quite a rude awakening and had to disable it within a day.
Reverse DNS can be a fairly strong tool in combatting spam. We just need to get the e-mail adminstrators of the world on board and get their DNS records configured correctly.
What I'm presenting here is really watered down and simplistic but I hope you get the picture. I also sometimes have a tendency to leave stuff out because I'm usually writing for other technical people and they usually fill in the blanks themselves. I realize some of my audience might not be that technical so let me know if I'm leaving glaring gaps.
Note: You won't necessarily create your PTR records with your DNS host. Your ISP, who manages the IP addresses you're assigned will take care of your PTR records. If your ISP and DNS host are one and the same, then Bob's your uncle.
Two great tools for DNS:
www.dnsstuff.com
www.dnsreport.com
On OS X security
Posted by massnerder on May 16, 2006
Mac enthusiasts always like to tout the security of OS X. Leo Laporte even says how he doesn't even run antivirus on his Macs. I think he, and many other Mac users, are flirting with disaster. I actually ran my PC's for several years without antivirus. But I was probably very lucky.
The problem is software is written by humans (who make mistakes). Even the various "security" software products used to lockdown PCs and networks have flaws and need to be updated periodically to patch flaws and vulnerabilities (even Apple issues security updates for OS X from time to time). When you're talking operating systems, you're dealing with millions of lines of code, within thousands of modules, written by hundreds — if not, thousands — of people. These modules have any number of interactions with other modules that were written by others. Humans are fallible and unable to make accurate and reliable correlations with that much information. Computers don't have the intelligence to validate complex code interactions for its security.
There truth is there have been far fewer people intensely looking for vulnerabilities in OS X than in Windows. Given the lack of market share of the Mac, there just hasn't been that much interest. In the past, the interest was in having the most widespread effect as possible in your exploits — mostly for attention and chest thumping. Now, it's all about the the volume of systems you have under your control to rent out to spyware purveyors and other ne'er-do-wells. Mac enthusiasts making claims to the superior security of OS X is an invitation to crackers to uncover vulnerabilities in their system out of sheer spite.
On the other hand, there's still the small market share issue and OS X might be considered not worth the effort. /shrug
Posted in Commentary, Tech | Leave a Comment »