Re: possible localhost dns spoof attack

Tue, 26 Feb 2013 03:46:53 -0800 

Am 26.02.2013 12:35, schrieb Jamie:
> Borja
> 
> I am pretty sure of it. After I blocked the ip address, the spam stopped
> coming. It is no co-incidence that 113.167.239.162 resolves to localhost
> (see: http://remote.12dt.com/ for confirmation).
> 
> I am fairly certain that our mail server has not been hacked.
> 
> Regards
> 
> Jamie
> 
> 
> On 2013/02/26 1:19 PM, Borja Marcos wrote:
>> On Feb 26, 2013, at 11:32 AM, Jamie wrote:
>>
>>> Hi
>>>
>>> Earlier today I noticed a spammer using my Postfix server as a relay
>>> to send out spam. This was puzzling because i had all requisite anti
>>> relay host settings applied. Further, it was particularly alarming
>>> that Postfix seemed to be receiving the spam messages from localhost
>>> as indicated:
>>>
>>> connect from localhost.localdomain[127.0.0.1]
>> Are you sure of that? I assume that Postfix is getting the peer IP
>> address from the socket, _not_  doing a lookup of the HELO name
>> offered by the SMTP client, as that would be useless and confusing.
>>
>> Do you have any web server/PHP stuff on the same machine that might
>> have been exploited instead? That would make the SMTP  connection
>> actually come from 127.0.0.1.
>>
>>
>>
>>
>> Borja.
>>
> 

Hi, double check that no webserver script is injecting mail via
localhost etc, for other case

dig -x 113.167.239.162

; <<>> DiG 9.7.0-P1 <<>> -x 113.167.239.162
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53155
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;162.239.167.113.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
162.239.167.113.in-addr.arpa. 86400 IN  PTR     localhost.

thats not very rare in the internet

you may solve i.e it with

smtpd_client_restrictions = permit_mynetworks,
                            permit_sasl_authenticated,
...
check_reverse_client_hostname_access
hash:/etc/postfix/reverse_client_hostname_access
...

/etc/postfix/reverse_client_hostname_access

localhost REJECT your ptr record points to localhost fix it


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Reply via email to