What would you do about questionable domain pointing A record to your IP address?

William Herrin bill at herrin.us
Fri Feb 20 18:20:39 UTC 2015


On Fri, Feb 20, 2015 at 12:08 PM, Anne P. Mitchell, Esq.
<amitchell at isipp.com> wrote:
> We have an email reputation accreditation applicant, who otherwise
> looks clean, however there is a very strange and somewhat
> concerning domain being pointed to one of the applicant's IP
> addresses  Let's call the domain example.com, and the IP
> address 127.0.0.1, for these purposes.
>
> Applicant is assigned 127.0.0.1.  the rDNS correctly goes to their own domain.
>
> However, example.com (which in reality is a concerning domain
> name) claims 127.0.0.1 as their A record.

Howdy,

How does 127.0.0.1 behave when you access it and declare yourself to
be seeking example.com? If it's a mail server, what happens when you
try to mail postmaster at examplecompany.com? Do you get a no-relaying
message or one of the other errors appropriate to a server not
configured to handle mail for example.com? If it's a web server, what
happens when your browser asks for Host: www.example,com? Do you get
example.com's web page?

Also check 3rd party databases to the extent possible. Can you find
examples of dastardly example.com activity from 127.0.0.1 during a
time the whois records say applicant had control of 127.0.0.1?

You get the general idea. Check for things you know to be under the
applicant's control. If they come up clean, they're clean. If they're
dirty and they're sloppy enough to not clean up the example.com DNS
zone file then they'll be sloppy elsewhere too.

Regards,
Bill Herrin



-- 
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>



More information about the NANOG mailing list