Re: How to block bogus localhost.localdomain/127.0.0.1 (helo_access)

Wed, 12 Feb 2014 06:28:26 -0800 

On 02/12/2014 09:01 AM, li...@rhsoft.net wrote:


Am 12.02.2014 14:53, schrieb L. D. James:

On 02/12/2014 08:02 AM, Wietse Venema wrote:

L. D. James:

I have this in the log:
-----------------------------------------
Feb 11 21:42:41 hera5 postfix/smtpd[4802]: connect from
localhost.localdomain[127.0.0.1]
Feb 11 21:42:41 hera5 postfix/smtpd[4802]: 05AAE155460:
client=localhost.localdomain[127.0.0.1]

This is a connection from your content filter.

You need to look at the logging for connections from remote systems.


Hi, Wietse.  Actually that isn't a connection from my content filter.
That is a log of how the remote system
answered my helo request.
The information (as per the topic header) is a lie
It's bogus information.  The remote
system is lying to the request saying they are me

if this is *your* logfile, "hera5" is your machine then [127.0.0.1]
can't be a lie, can't come from a remote systemd and this connection
is coming *for sure* from whatever service on *your machine*

"smtpd" is *not* talking to a remote system and not saying "helo"
to a remote system

Hi.  hera5 in my machine.  It is the host.  My host machine, hera5 is 
reporting the information to the log.  You quoted the part where hera5 
(the host machine) reported what the click said when hera5 gave a helo 
request.  The client lied.  The client said they were 
"localhost.localdomain.



Hera5 if reporting all the activity to the log.  If you look at a couple 
of lines below that you'll see that hera5 is also reporting the actual 
machine that is telling the lie.  The machine's real ip is 
*216.244.76.231*.  The client machine is lying to hera5 because the 
spammers knows that, by default a machine will accept relaying messages 
from itself.  The the client (which really is: *216.244.76.231* is 
telling the the host hera5 that they are *127.0.0.1*).  That is a lie.



I can block connections from "216.244.76.231", but when studying the 
logs, the same spammers use different IP's.  So there are lots of 
similar connections.  If you look at the "helo_access" feature, you'll 
see that this is handled there.  It blocks all the connections which 
tells hera5 they are localhost.localdomain.


-- L. James

--
L. D. James
lja...@apollo3.com
www.apollo3.com/~ljames
























					Reply via email to