Re: possible localhost dns spoof attack
- On Wed, Feb 27, 2013 at 03:10:38PM -0600, Noel Jones wrote:
> On 2/27/2013 2:33 PM, /dev/rob0 wrote:I tried to be polite also, but perhaps putting a little less effort
> > I only saw main.cf and some largely irrelevant logs.
> I was trying to be polite. That's all I saw too.
into it than you did. ;)
Just a note for the archives and for those who tend to fuss with us
when our replies don't seem sugar-coated enough for your tastes: we
really DO want to help this poster, and especially to help the
Internet be rid of some more spam. Jamie is not following directions
and is wasting our time. This thread has gone on for days, but if
proper information had been available we would have solved it long
> > Do note that your system is ipso facto compromised. We know thisI was going on the reply to Tom Hendrikx:
> > because it is being used by a spammer to send spam. Stop saying
> > you're not compromised, when we know that you are.
> But we don't know that his system is sending spam; another reason
> we need to see logs. There is enough conflicting information here
> that everything should be verified by evidence.
Date: Tue, 26 Feb 2013 13:57:33 +0200
The logs therein looked decidedly spammy, unlike the other normal
delivery logs shown.
> I'm inclined to think this is something mundane, such as anAnother thing which might help isolate this, which was missing from
> NDR/bounce triggered by spam from some rDNS "localhost" client or
> maybe a phished local account. Once those are eliminated as
> possible explanations, we can look for more interesting problems.
the master.cf in the above-referenced post, would be to use "-o
syslog_name=postfix/..." on any smtpd instance other than *:smtp.
Jamie only had a post-amavisd reinjection smtpd, no submission.
(Another good suggestion would be to isolate submission from MX mail,
but that goes beyond the original problem somewhat.)
> But now I'm guessing, which I berated others for earlier.:)
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
- Jamie skrev den 2013-02-26 11:32:
> We would appreciate your thoughts.check that you have not external nameservers that can resolve localhost
into 127.0.0.1, but show logs on what postfix really did, even if sender
ip is localhost it should not allow relaying, unless you have
permit_mynetwork to early, thats why i only allow smpt auth relaying,
even from localhost/rfc1918 ips
to minimise the risk you should only trust localhost nameservers
and possible it would make sense to reject clients that have mx set as
localhost or 127.0.0.1
well i admit it just speculating here, so logs please, with postconf -n