Loading ...
Sorry, an error occurred while loading the content.

Re: possible localhost dns spoof attack

Expand Messages
  • /dev/rob0
    ... I tried to be polite also, but perhaps putting a little less effort into it than you did. ;) Just a note for the archives and for those who tend to fuss
    Message 1 of 32 , Feb 27 1:41 PM
    • 0 Attachment
      On Wed, Feb 27, 2013 at 03:10:38PM -0600, Noel Jones wrote:
      > On 2/27/2013 2:33 PM, /dev/rob0 wrote:
      > > I only saw main.cf and some largely irrelevant logs.
      >
      > I was trying to be polite. That's all I saw too.

      I tried to be polite also, but perhaps putting a little less effort
      into it than you did. ;)

      Just a note for the archives and for those who tend to fuss with us
      when our replies don't seem sugar-coated enough for your tastes: we
      really DO want to help this poster, and especially to help the
      Internet be rid of some more spam. Jamie is not following directions
      and is wasting our time. This thread has gone on for days, but if
      proper information had been available we would have solved it long
      ago.

      > > Do note that your system is ipso facto compromised. We know this
      > > because it is being used by a spammer to send spam. Stop saying
      > > you're not compromised, when we know that you are.
      >
      > But we don't know that his system is sending spam; another reason
      > we need to see logs. There is enough conflicting information here
      > that everything should be verified by evidence.

      I was going on the reply to Tom Hendrikx:
      Message-ID: <512CA32D.8030501@...>
      Date: Tue, 26 Feb 2013 13:57:33 +0200
      The logs therein looked decidedly spammy, unlike the other normal
      delivery logs shown.

      > I'm inclined to think this is something mundane, such as an
      > NDR/bounce triggered by spam from some rDNS "localhost" client or
      > maybe a phished local account. Once those are eliminated as
      > possible explanations, we can look for more interesting problems.

      Another thing which might help isolate this, which was missing from
      the master.cf in the above-referenced post, would be to use "-o
      syslog_name=postfix/..." on any smtpd instance other than *:smtp.
      Jamie only had a post-amavisd reinjection smtpd, no submission.

      (Another good suggestion would be to isolate submission from MX mail,
      but that goes beyond the original problem somewhat.)

      > But now I'm guessing, which I berated others for earlier.

      :)
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Benny Pedersen
      ... check that you have not external nameservers that can resolve localhost into 127.0.0.1, but show logs on what postfix really did, even if sender ip is
      Message 32 of 32 , Feb 28 6:16 AM
      • 0 Attachment
        Jamie skrev den 2013-02-26 11:32:

        > We would appreciate your thoughts.

        check that you have not external nameservers that can resolve localhost
        into 127.0.0.1, but show logs on what postfix really did, even if sender
        ip is localhost it should not allow relaying, unless you have
        permit_mynetwork to early, thats why i only allow smpt auth relaying,
        even from localhost/rfc1918 ips

        to minimise the risk you should only trust localhost nameservers

        and possible it would make sense to reject clients that have mx set as
        localhost or 127.0.0.1

        well i admit it just speculating here, so logs please, with postconf -n
      Your message has been successfully submitted and would be delivered to recipients shortly.