Hi
Earlier today I noticed a spammer using my Postfix server as a relay to
send out spam. This was puzzling because i had all requisite anti relay
host settings applied. Further, it was particularly alarming that
Postfix seemed to be receiving the spam messages from localhost as
indicated:
connect from localhost.localdomain[127.0.0.1]
After further analysis, I discovered that the traffic was not in fact
being sent from 127.0.0.1. The packets were coming from:
113.167.239.162
Funnily enough, this IP's DNS resolves to the name "localhost".
Christian and I are suspicious of this. Could it be that this DNS name
forms the basis of a simple DNS spoof attack that somehow confuses
Postfix into thinking that the traffic comes from localhost and
therefore, allows the relay to proceed?
We would appreciate your thoughts.
Jamie
