possible localhost dns spoof attack
Earlier today I noticed a spammer using my Postfix server as a relay to send out spam. This was puzzling because i had all requisite anti relay host settings applied. Further, it was particularly alarming that Postfix seemed to be receiving the spam messages from localhost as indicated:
connect from localhost.localdomain[127.0.0.1]
After further analysis, I discovered that the traffic was not in fact being sent from 127.0.0.1. The packets were coming from:
Funnily enough, this IP's DNS resolves to the name "localhost".
Christian and I are suspicious of this. Could it be that this DNS name forms the basis of a simple DNS spoof attack that somehow confuses Postfix into thinking that the traffic comes from localhost and therefore, allows the relay to proceed?
We would appreciate your thoughts.
- Jamie skrev den 2013-02-26 11:32:
> We would appreciate your thoughts.check that you have not external nameservers that can resolve localhost
into 127.0.0.1, but show logs on what postfix really did, even if sender
ip is localhost it should not allow relaying, unless you have
permit_mynetwork to early, thats why i only allow smpt auth relaying,
even from localhost/rfc1918 ips
to minimise the risk you should only trust localhost nameservers
and possible it would make sense to reject clients that have mx set as
localhost or 127.0.0.1
well i admit it just speculating here, so logs please, with postconf -n