Loading ...
Sorry, an error occurred while loading the content.
 

Re: possible localhost dns spoof attack

Expand Messages
  • Jamie
    I ran chkrootki with clean results. For kicks: I sent a test email to myself from a web mail client. It seems connect from localhost.localdomain[127.0.0.1] is
    Message 1 of 32 , Feb 26, 2013
      I ran chkrootki with clean results.

      For kicks: I sent a test email to myself from a web mail client. It
      seems connect from localhost.localdomain[127.0.0.1] is outputted under
      normal circumstances. Thus, it must be something to do with the way in
      which postfix passed mails along to the antivirus, antispam scaners. I
      am just not sure how to interpret the Postfix logs. The question
      remains... how did this spammer use this server as an open relay when
      its been disallowed in the configuration.

      Feb 26 06:46:26 serve postfix/smtpd[12617]: connect from
      out1-smtp.messagingengine.com[66.111.4.25]
      Feb 26 06:46:26 serve postfix/smtpd[12617]: setting up TLS connection
      from out1-smtp.messagingengine.com[66.111.4.25]
      Feb 26 06:46:27 serve postfix/smtpd[12617]: Anonymous TLS connection
      established from out1-smtp.messagingengine.com[66.111.4.25]: TLSv1 with
      cipher ADH-AES256-SHA (256/256 bits)
      Feb 26 06:46:27 serve postfix/smtpd[12617]: 3E42E10DB6:
      client=out1-smtp.messagingengine.com[66.111.4.25]
      Feb 26 06:46:27 serve postfix/cleanup[12621]: 3E42E10DB6:
      message-id=<1361889074.16425.140661197113865.2ECDDD46@...>
      Feb 26 06:46:27 serve postfix/qmgr[19586]: 3E42E10DB6:
      from=<jamieb@...>, size=2433, nrcpt=1 (queue active)
      Feb 26 06:46:27 serve postfix/smtpd[12617]: disconnect from
      out1-smtp.messagingengine.com[66.111.4.25]
      root@serve:/var/log# tail mail.log
      Feb 26 06:46:32 serve postfix/smtpd[12638]: connect from
      localhost.localdomain[127.0.0.1]
      Feb 26 06:46:32 serve postfix/smtpd[12638]: 597DB10DC1:
      client=localhost.localdomain[127.0.0.1]
      Feb 26 06:46:32 serve postfix/cleanup[12621]: 597DB10DC1:
      message-id=<1361889074.16425.140661197113865.2ECDDD46@...>
      Feb 26 06:46:32 serve postfix/smtpd[12638]: disconnect from
      localhost.localdomain[127.0.0.1]
      Feb 26 06:46:32 serve postfix/qmgr[19586]: 597DB10DC1:
      from=<jamieb@...>, size=2858, nrcpt=1 (queue active)
      Feb 26 06:46:32 serve amavis[26243]: (26243-14) Passed CLEAN,
      [66.111.4.25] [66.111.4.25] <jamieb@...> ->
      <jamie@...>, Message-ID:
      <1361889074.16425.140661197113865.2ECDDD46@...>,
      mail_id: Qgl96w7X5Ph8, Hits: -1.791, size: 2433, queued_as: 597DB10DC1,
      5037 ms
      Feb 26 06:46:32 serve postfix/smtp[12624]: 3E42E10DB6:
      to=<jamie@...>, relay=127.0.0.1[127.0.0.1]:10024,
      delay=5.2, delays=0.12/0/0/5, dsn=2.0.0, status=sent (250 2.0.0 Ok:
      queued as 597DB10DC1)
      Feb 26 06:46:32 serve postfix/qmgr[19586]: 3E42E10DB6: removed
      Feb 26 06:46:32 serve postfix/local[12641]: 597DB10DC1:
      to=<jamie@...>, relay=local, delay=0.07,
      delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)
      Feb 26 06:46:32 serve postfix/qmgr[19586]: 597DB10DC1: removed
    • Benny Pedersen
      ... check that you have not external nameservers that can resolve localhost into 127.0.0.1, but show logs on what postfix really did, even if sender ip is
      Message 32 of 32 , Feb 28, 2013
        Jamie skrev den 2013-02-26 11:32:

        > We would appreciate your thoughts.

        check that you have not external nameservers that can resolve localhost
        into 127.0.0.1, but show logs on what postfix really did, even if sender
        ip is localhost it should not allow relaying, unless you have
        permit_mynetwork to early, thats why i only allow smpt auth relaying,
        even from localhost/rfc1918 ips

        to minimise the risk you should only trust localhost nameservers

        and possible it would make sense to reject clients that have mx set as
        localhost or 127.0.0.1

        well i admit it just speculating here, so logs please, with postconf -n
      Your message has been successfully submitted and would be delivered to recipients shortly.