Loading ...
Sorry, an error occurred while loading the content.

Re: possible localhost dns spoof attack

Expand Messages
  • Lorens Kockum
    ... In another mail you said you d used tcpdump. Why don t you set tcpdump to record everything from that IP address, unblock the IP address, wait faor a few
    Message 1 of 32 , Feb 27, 2013
    View Source
    • 0 Attachment
      On Tue, Feb 26, 2013 at 05:16:20PM +0200, Jamie wrote:
      > I unblocked the IP and the problem came back.

      In another mail you said you'd used tcpdump. Why don't you set
      tcpdump to record everything from that IP address, unblock the
      IP address, wait faor a few spams to go through, block the
      IP address, and analyze the tcpdump to see exactly what is
      happening?

      This should do it:

      tcpdump -i $INTERFACE -s 0 -w /tmp/spammer.tcpdump host 113.167.239.162
    • Benny Pedersen
      ... check that you have not external nameservers that can resolve localhost into 127.0.0.1, but show logs on what postfix really did, even if sender ip is
      Message 32 of 32 , Feb 28, 2013
      View Source
      • 0 Attachment
        Jamie skrev den 2013-02-26 11:32:

        > We would appreciate your thoughts.

        check that you have not external nameservers that can resolve localhost
        into 127.0.0.1, but show logs on what postfix really did, even if sender
        ip is localhost it should not allow relaying, unless you have
        permit_mynetwork to early, thats why i only allow smpt auth relaying,
        even from localhost/rfc1918 ips

        to minimise the risk you should only trust localhost nameservers

        and possible it would make sense to reject clients that have mx set as
        localhost or 127.0.0.1

        well i admit it just speculating here, so logs please, with postconf -n
      Your message has been successfully submitted and would be delivered to recipients shortly.