Loading ...
Sorry, an error occurred while loading the content.
 

Re: possible localhost dns spoof attack

Expand Messages
  • Noel Jones
    ... I suspect your analysis is faulty. Please show postconf -n and unaltered log entries demonstrating the problem. ... There are several whole netblocks in
    Message 1 of 32 , Feb 26, 2013
      On 2/26/2013 4:32 AM, Jamie wrote:
      > Hi
      >
      > Earlier today I noticed a spammer using my Postfix server as a relay
      > to send out spam. This was puzzling because i had all requisite anti
      > relay host settings applied. Further, it was particularly alarming
      > that Postfix seemed to be receiving the spam messages from localhost
      > as indicated:
      >
      > connect from localhost.localdomain[127.0.0.1]
      >

      I suspect your analysis is faulty. Please show "postconf -n" and
      unaltered log entries demonstrating the problem.


      > After further analysis, I discovered that the traffic was not in
      > fact being sent from 127.0.0.1. The packets were coming from:
      >
      > 113.167.239.162
      >
      > Funnily enough, this IP's DNS resolves to the name "localhost".

      There are several whole netblocks in Asia that resolve to localhost.

      [My guess is this is the ISP's effort to mark the netblock as home
      users rather than anything malicious. Seems too lame, too easy to
      detect, and too easy to block to be malicious. I could be wrong.]

      Postfix will log all connections from these hosts as "unknown" with
      the real IP address.

      If postfix logs a connection from 127.0.0.1, the connection *really
      is* from localhost. Maybe you were looking at a content_filter log
      line?


      >
      > Christian and I are suspicious of this. Could it be that this DNS
      > name forms the basis of a simple DNS spoof attack that somehow
      > confuses Postfix into thinking that the traffic comes from localhost
      > and therefore, allows the relay to proceed?

      This won't fool postfix. Please post evidence before jumping to wild
      conclusions.



      -- Noel Jones
    • Benny Pedersen
      ... check that you have not external nameservers that can resolve localhost into 127.0.0.1, but show logs on what postfix really did, even if sender ip is
      Message 32 of 32 , Feb 28, 2013
        Jamie skrev den 2013-02-26 11:32:

        > We would appreciate your thoughts.

        check that you have not external nameservers that can resolve localhost
        into 127.0.0.1, but show logs on what postfix really did, even if sender
        ip is localhost it should not allow relaying, unless you have
        permit_mynetwork to early, thats why i only allow smpt auth relaying,
        even from localhost/rfc1918 ips

        to minimise the risk you should only trust localhost nameservers

        and possible it would make sense to reject clients that have mx set as
        localhost or 127.0.0.1

        well i admit it just speculating here, so logs please, with postconf -n
      Your message has been successfully submitted and would be delivered to recipients shortly.