-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/26/2013 11:32 AM, Jamie wrote: > Hi > > Earlier today I noticed a spammer using my Postfix server as a > relay to send out spam. This was puzzling because i had all > requisite anti relay host settings applied. Further, it was > particularly alarming that Postfix seemed to be receiving the spam > messages from localhost as indicated: > > connect from localhost.localdomain[127.0.0.1] > > After further analysis, I discovered that the traffic was not in > fact being sent from 127.0.0.1. The packets were coming from: > > 113.167.239.162 > > Funnily enough, this IP's DNS resolves to the name "localhost". > > Christian and I are suspicious of this. Could it be that this DNS > name forms the basis of a simple DNS spoof attack that somehow > confuses Postfix into thinking that the traffic comes from > localhost and therefore, allows the relay to proceed?
It is easy to add a directive to postfix that whitelists a hostname "localhost", or a server HELOing as such. Of course, none of that is in the default config. We can never be sure unless you provide postfix logging of the actual attempt, and you post your configuration. Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRLJkJAAoJEJPfMZ19VO/1svAQAIMtiHus2nuvH6Re+GtTPud7 ZJRLFqiWB094CIN00X4VqsAAVWvphN4ZKD2XpMmmR20oEfLQJT269RCvT/McwYVu 4BhugnhWtA1dTtrJ+A7qvxCDR2M6aCvvGaRDQJ0toUIDqYeGX28VtBuJlDuXIte0 dOLDhc5RMfAj8nEVSSAe7e/G/ArJiLlB724wVn9Scgm46Tdsu0+6uiseX0/WNpCM I0beqbrGvCD19npUSK46oqf+mYpcVIie1dtYLctkUld1nRPjlCLRGc+qNs24ISLe jkPSD/rwzdWpPaPKqtomrq07WAWl83+b3cm5ozxGYaAGqP/C/DRRGSVN15lyYdpz 0BzA1FA8TWwoysXuFKO+g5zZVD2rnnTFdvMuk7fcNJerh5OrGjXvzng+vShcm4P1 2ozzKmvM8y/8SezMNSLIn4CF/WXj6+DOi0sWe+D3bg4wvY6r3R5FGv3ZbY9guen/ f0TZoavUOKbJiUWTg1qOsLSutj/YWh48sbEh1ZDUlZwwUiMq2LYF+e1hq0xmSFG0 zwIJdlQhtjm9golbfGOlCJRQAeVXuaXRq3LkN9KqjyuaBCXcJFjA3dNDVFcDHVb8 WlaWYzvOs3fgSLwq7duWeb85Q0foanuJsYEu4d2hhOoA1jI2SmmgAWlPPDJTsqiO AcHapP+4xGBm6bj0IUXH =0li3 -----END PGP SIGNATURE-----
