Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
possible localhost dns spoof attack
26 views
Skip to first unread message
ja...@mailarchiva.com
Feb 25, 2013, 8:48:50 AM2/25/13
to
Hi
Earlier today I noticed a spammer using my Postfix server as a relay to send out spam. This was puzzling because i had all requisite anti relay host settings applied. Further, it was particularly alarming that Postfix seems to be receiving the spam messages from localhost as indicated:
connect from localhost.localdomain[127.0.0.1]
After further analysis, I discovered that the traffic was not in fact being sent from 127.0.0.1. The packets were coming from:
113.167.239.162
Funnily enough, this IP's DNS resolves to the name "localhost".
Christian and I are suspicious of this. Could it be that this DNS name forms the basis of a simple DNS spoof attack that somehow confuses Postfix into thinking that the traffic comes from localhost and therefore, allows the relay to proceed?
We would appreciate your thoughts.
Jamie
Earlier today I noticed a spammer using my Postfix server as a relay to send out spam. This was puzzling because i had all requisite anti relay host settings applied. Further, it was particularly alarming that Postfix seems to be receiving the spam messages from localhost as indicated:
connect from localhost.localdomain[127.0.0.1]
After further analysis, I discovered that the traffic was not in fact being sent from 127.0.0.1. The packets were coming from:
113.167.239.162
Funnily enough, this IP's DNS resolves to the name "localhost".
Christian and I are suspicious of this. Could it be that this DNS name forms the basis of a simple DNS spoof attack that somehow confuses Postfix into thinking that the traffic comes from localhost and therefore, allows the relay to proceed?
We would appreciate your thoughts.
Jamie
0 new messages