Re: possible localhost dns spoof attack

Tue, 26 Feb 2013 06:39:06 -0800 

I ran chkrootki with clean results.
For kicks: I sent a test email to myself from a web mail client. It seems connect from localhost.localdomain[127.0.0.1] is outputted under normal circumstances. Thus, it must be something to do with the way in which postfix passed mails along to the antivirus, antispam scaners. I am just not sure how to interpret the Postfix logs. The question remains... how did this spammer use this server as an open relay when its been disallowed in the configuration. 


Feb 26 06:46:26 serve postfix/smtpd[12617]: connect from 
out1-smtp.messagingengine.com[66.111.4.25]
Feb 26 06:46:26 serve postfix/smtpd[12617]: setting up TLS connection 
from out1-smtp.messagingengine.com[66.111.4.25]
Feb 26 06:46:27 serve postfix/smtpd[12617]: Anonymous TLS connection 
established from out1-smtp.messagingengine.com[66.111.4.25]: TLSv1 with 
cipher ADH-AES256-SHA (256/256 bits)
Feb 26 06:46:27 serve postfix/smtpd[12617]: 3E42E10DB6: 
client=out1-smtp.messagingengine.com[66.111.4.25]
Feb 26 06:46:27 serve postfix/cleanup[12621]: 3E42E10DB6: 
message-id=<1361889074.16425.140661197113865.2ecdd...@webmail.messagingengine.com>
Feb 26 06:46:27 serve postfix/qmgr[19586]: 3E42E10DB6: 
from=<jam...@fastmail.fm>, size=2433, nrcpt=1 (queue active)
Feb 26 06:46:27 serve postfix/smtpd[12617]: disconnect from 
out1-smtp.messagingengine.com[66.111.4.25]

root@serve:/var/log# tail mail.log

Feb 26 06:46:32 serve postfix/smtpd[12638]: connect from 
localhost.localdomain[127.0.0.1]
Feb 26 06:46:32 serve postfix/smtpd[12638]: 597DB10DC1: 
client=localhost.localdomain[127.0.0.1]
Feb 26 06:46:32 serve postfix/cleanup[12621]: 597DB10DC1: 
message-id=<1361889074.16425.140661197113865.2ecdd...@webmail.messagingengine.com>
Feb 26 06:46:32 serve postfix/smtpd[12638]: disconnect from 
localhost.localdomain[127.0.0.1]
Feb 26 06:46:32 serve postfix/qmgr[19586]: 597DB10DC1: 
from=<jam...@fastmail.fm>, size=2858, nrcpt=1 (queue active)
Feb 26 06:46:32 serve amavis[26243]: (26243-14) Passed CLEAN, 
[66.111.4.25] [66.111.4.25] <jam...@fastmail.fm> -> 
<ja...@stimulussoft.com>, Message-ID: 
<1361889074.16425.140661197113865.2ecdd...@webmail.messagingengine.com>, 
mail_id: Qgl96w7X5Ph8, Hits: -1.791, size: 2433, queued_as: 597DB10DC1, 
5037 ms
Feb 26 06:46:32 serve postfix/smtp[12624]: 3E42E10DB6: 
to=<ja...@stimulussoft.com>, relay=127.0.0.1[127.0.0.1]:10024, 
delay=5.2, delays=0.12/0/0/5, dsn=2.0.0, status=sent (250 2.0.0 Ok: 
queued as 597DB10DC1)

Feb 26 06:46:32 serve postfix/qmgr[19586]: 3E42E10DB6: removed

Feb 26 06:46:32 serve postfix/local[12641]: 597DB10DC1: 
to=<ja...@stimulussoft.com>, relay=local, delay=0.07, 
delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)

Feb 26 06:46:32 serve postfix/qmgr[19586]: 597DB10DC1: removed























					Reply via email to