It means there is no rDNS for the ip. In other words there is no domain name associated with a given ip - there is no ptr record. When you visit a site there is an IP associated with the site. The rDNS is the opposite.

It should not be used as a general criteria to restrict access to a site if that's what you're asking. But it could be used for other cases like when receiving emails or if you are certain there is rDNS (for instance popular search engines typically have one when they visit your site).

Also performing rDNS on its own doesn't do much. An IP could resolve - for example to localhost or any domain name just because it's mis-configured by error or on purpose. Therefore after you retrieve the PTR you would have to do additional testing to ensure the PTR resolves now to the original IP.

Also this kind of detection methods should not be used on the long run.

Well, I'm using one of those www pages that checks in both directions for you. The line "could be forged" definitely makes me think of e-mail rather than www site visitors-- and I don't think I have ever in my life received an e-mail whose content left me in doubt about whether it was spam or real mail. (I'm an individual human, not an ISP, so I don't have to deal with the messy issue of decoding forged headers and blocking senders at the source.)

So far I haven't found anything that works better than gut feeling: page A gets a fair number of visitors from Portugal, so I don't bother about them, but why the ### should people from Belarus suddenly take an interest in page B?

Most of the time, "does not exist" seems to refer only to the exact wording of the address. The domain part is the same. Or it isn't, at which point it is probably easier to deploy the "because I don't like your face" rule than to bother with any more investigation. The address that prompted the original question is, as I said, administered by people who are moderately clueless* so I wouldn't put it past them to assign a local address in a non-standard format.


* They're actively promoting a related site that has, to my certain knowledge, not been touched since 2004, which gives you some idea.

people from Belarus suddenly take an interest in page B

I don't think they do. Concentrate on the queries, at least in my case various visits sole purpose is to scrap content, hack the site and/or spam the forms in every way possible.

Some of the ips are returning funny DNS names which are forged of course and they may come from every country you can imagine typically via a hijacked system. In most cases it's fully automated.

Although the majority may seem to come from outside NA or Europe, it just tells me the user awareness on some countries is either lower than in US for example, or just the cost of security/original software is much higher and people can't afford it, they prefer the "risk it for free" way, which leads lots and lots of machines to structure various botnets for shady purposes.

You can also input some ips to several anti-spam services like SC and check the status of it. Sometimes I will enter a couple of them as their system may check for a compromised PC based on the open ports. When I see someone checking out or submitting a form and I am not quite sure of their intentions.

Other times just the ip blacklisted databases will do, or I will have the server doing a port scan on the standard HTTP ports given an IP. If they're open something isn't right.