hi all,

only recently have i noticed that one (of two) of my linux smtp servers was trying to send an email to a host out on the internet with an IP address of 127.0.0.1. after some digging i've determined that "forged-spamm-addr.oulu.fi" does have A and MX records with an IP of 127.0.0.1.

so, this server doesn't understand it shouldn't be trying to deliver to this 127.~. i compared it's routing tables with my other server and sure enough, it doesn't have an entry for 127.~, the other does.

so, i'm wondering how does this happen, could this machine have been tampered with, is it just misconfigured, all of the above?

oh, also, along with the outgoing 25/tcp packets to 127.0.0.1, every 5th or so packet is 512/tcp connection attempt, to the same 127.~ address. errr.

i'm running sendmail v8.11.6.

any pointers greatly appreciated

127.0.0.1 is your computer
it's a loopback address.

at whatever computer you are at
127.0.0.1 points to that computer.

the server was trying to contact
your machine.

well, in this case i wish that were true.

127.0.0.1 is in fact in my hosts file, but not in the routing table.

when i ping that IP, it doesn't respond, as it normally does/would. and, when doing a "dig" on the destination domain (forged-spamm-addr.oulu.fi) embedded in the email which was stuck in the server queue, it actually has an A-record pointing to 127.0.0.1. i thought this was a no-no.

[root@www etc]# dig forged-spamm-addr.oulu.fi

; <<>> DiG 9.2.1 <<>> forged-spamm-addr.oulu.fi
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2667
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;forged-spamm-addr.oulu.fi. IN A

;; ANSWER SECTION:
forged-spamm-addr.oulu.fi. 121 IN A 127.0.0.1

;; AUTHORITY SECTION:
oulu.fi. 10872 IN NS ousrvr.oulu.fi.
oulu.fi. 10872 IN NS ousrvr2.oulu.fi.
oulu.fi. 10872 IN NS ns-secondary.funet.fi.

anyone?

Many spammers intentionally setup incorrect MX records to be a pain in the arse. Basically any bounce messages that you try to send back to them will end up going to your loopback address, a broadcast address, etc...

Any time you notice one of these domains, make sure you add them to your inbound blocking list, and also add the domain to an outbound blacklist, like point the messages at /dev/null or something similar (whatever the syntax is for your MTA).

This is just one of the conditions that commercial anti-spam tools look for in blocking spam.

great info chort, thanks.

i still have this question about how or why this linux box thinks it can send data to a loopback address (127.~). when i ping this the loopback from the console, it goes out to the world. i checked the hosts file, 127.~ localhost is there. however, i compared a *properly working* linux boxe's routing tables with this *improperly working* box, and i see a discrepancy. this machine in question doesn't have the 127.~ address in it's routing table. i reckon i could add it back, but i'm really wondering how this might have occurred. i suppose i could reboot the machine and see if it's re-added. could this machine have been tampered with?, would this be something someone would do intentionally? or, are chances better that this is a rookie oversight? sorry for the long and confusing reply, but hey, i'm a newbie... &)

thanks in advance for any further insight!
-thepeeratt

do an ifconfig and see if the loopback interface is up. If it isn't, ifconfig lo 127.0.0.1 will make it come up

aaron