[prev in list] [next in list] [prev in thread] [next in thread]
List: spamassassin-users
Subject: Re: DNS resolves to localhost
From: Noel <noeldude () gmail ! com>
Date: 2014-08-22 20:48:52
Message-ID: 53F7ACB4.9080100 () gmail ! com
[Download RAW message or body]
On 8/22/2014 2:55 PM, Kevin Miller wrote:
> I was looking at the output from logdigest on my egress mail server \
> (smtp.ci.juneau.ak.us) and came across these:
> System Error Messages:
> aboutres.net. config error: mail loops back to me (MX problem?): 1 Time(s)
> flylib.net. config error: mail loops back to me (MX problem?): 1 Time(s)
> agesub.net. config error: mail loops back to me (MX problem?): 1 Time(s)
> midpoint.agesub.net. config error: mail loops back to me (MX problem?): 1 Time(s)
> despoina.flylib.net. config error: mail loops back to me (MX problem?): 1 Time(s)
> lectisternium.aboutres.net. config error: mail loops back to me (MX problem?): 1 \
> Time(s)
> And sure enough, the sleazy spammers are putting a loopback address in their DNS \
> for the domain, mkm@mxg:/etc/mail> host lectisternium.aboutres.net
> lectisternium.aboutres.net has address 127.0.0.1
>
> Is anyone else seeing these? What's the best way to block a server for which DNS \
> returns a loopback address? I'd think at the MTA, but a rule might be effective \
> too.
> Interestingly, the headers (with minor munging on the recipient name) on my inbound \
> server show an actual IP address:
> Return-Path: <g>
> Received: from lectisternium.aboutres.net (lectisternium.aboutres.net \
> [138.128.10.69]) by mxg.ci.juneau.ak.us (8.13.6/8.13.6/SuSE Linux 0.8) with ESMTP \
> id s7FHufc5018797 for <my_user@ci.juneau.**.us>; Fri, 15 Aug 2014 09:56:51 -0800
> Content-Type: text/html; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Subject: Hot Summer Rewards - Costco Connection
> Date: Fri, 15 Aug 2014 10:56:41 -0700
> From: Member Rewards <Colin@lectisternium.aboutres.net>
> Message-ID: <4357.server-1325d972c7b4c47020930095928b359f7c14@aboutres.net>
> To: < my_user@ci.juneau.**.us>
> Reply-to: <Colin@aboutres.net>
> X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/
> Received-SPF: Pass (mxg.ci.juneau.ak.us: domain of \
> colinshelton@lectisternium.aboutres.net designates 138.128.10.69 as permitted \
> sender) receiver=mxg.ci.juneau.ak.us; client-ip=138.128.10.69;
> envelope-from=<ColinShelton@lectisternium.aboutres.net>; \
> helo=lectisternium.aboutres.net;
> I'm wondering if they didn't have valid forward and PTR recoords for the duration \
> of the spam run, then changed it. Obviously they would need a valid IP for a TCP/IP \
> session and when doing the Forward Confirmed reverse DNS. But maybe 127.0.0.1 \
> works for the FCrDNS - is that configurable?
> ...Kevin
> *(Just to be clear, the messages that were sitting in the outbound queue were out \
> of office messages, not bounced spam).
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500
> Registered Linux User No: 307357
>
Configure your MTA to block domains that resolve to localhost, for
example the postfix check_sender_mx feature.
But I don't think that would help this particular case. It appears
the spammer changed the DNS records after the spam run. I'm not
sure what the purpose of that might be, it just makes them look more
like a spammer.
No, you can't spoof FCrDNS by using localhost. At the time
indicated in your Received: header, DNS was configured correctly.
-- Noel Jones
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic