Linode Outbreaks, why PTR Important

Posted on September 23, 2015 by MagicMail

Today’s report is about Linode, but of course this could be about many different providers, and is a reason why the ability to block emails based on the PTR records is important, and it is best when it can be done in the SMTP layer BEFORE you waste the overhead on processing it. Real email operators will (or are supposed to according to Best Practices) change the rDNS to reflect their company, eg mail.companyname.com, however hackers and script kiddies who load bulk email programs and hacks onto vulnerable servers usually can’t modify the rDNS itself, without triggering alerts, or breaking things, and usually the ability to change rDNS is locked down to the system administrator, or their upstream provider.

it could be addresses such as *.static.upstream.com, or it could be generic patterns like the recent outbreaks at SoftLayer, eg.

168.1.29.242-static.reverse.softlayer.com

But in todays case it was the Linode network that was especially active.

45.79.0.153 8 li1099-153.members.linode.com
45.79.68.23 20 li1167-23.members.linode.com
45.79.69.114 7 li1168-114.members.linode.com
45.79.71.113 35 li1170-113.members.linode.com
45.79.88.171 8 li1187-171.members.linode.com
45.79.108.89 6 li1207-89.members.linode.com
45.79.128.228 21 li1227-228.members.linode.com
45.79.136.226 7 li1235-226.members.linode.com
45.79.154.47 8 li1253-47.members.linode.com
45.79.181.254 1 li1280-254.members.linode.com
85.90.244.62 39 li1427-62.members.linode.com
103.3.63.6 31 li819-6.members.linode.com
139.162.27.15 37 li868-15.members.linode.com
139.162.29.190 1 li870-190.members.linode.com
139.162.149.101 1 li1416-101.members.linode.com
139.162.156.90 36 li1423-90.members.linode.com
139.162.159.120 1 li1426-120.members.linode.com
151.236.221.233 35 li585-233.members.linode.com
178.79.139.130 1 li195-130.members.linode.com

The second number is the number of ISP’s that reported the problem.
This might be a PTR pattern that you want to treat as suspect, or choose to block on your email servers. Real email operators on the Linode network will of course have proper rDNS records, and shouldn’t be affected.

This entry was posted in Informative, Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply