Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
only recently have i noticed that one (of two) of my linux smtp servers was trying to send an email to a host out on the internet with an IP address of 127.0.0.1. after some digging i've determined that "forged-spamm-addr.oulu.fi" does have A and MX records with an IP of 127.0.0.1.
so, this server doesn't understand it shouldn't be trying to deliver to this 127.~. i compared it's routing tables with my other server and sure enough, it doesn't have an entry for 127.~, the other does.
so, i'm wondering how does this happen, could this machine have been tampered with, is it just misconfigured, all of the above?
oh, also, along with the outgoing 25/tcp packets to 127.0.0.1, every 5th or so packet is 512/tcp connection attempt, to the same 127.~ address. errr.
127.0.0.1 is in fact in my hosts file, but not in the routing table.
when i ping that IP, it doesn't respond, as it normally does/would. and, when doing a "dig" on the destination domain (forged-spamm-addr.oulu.fi) embedded in the email which was stuck in the server queue, it actually has an A-record pointing to 127.0.0.1. i thought this was a no-no.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Many spammers intentionally setup incorrect MX records to be a pain in the arse. Basically any bounce messages that you try to send back to them will end up going to your loopback address, a broadcast address, etc...
Any time you notice one of these domains, make sure you add them to your inbound blocking list, and also add the domain to an outbound blacklist, like point the messages at /dev/null or something similar (whatever the syntax is for your MTA).
This is just one of the conditions that commercial anti-spam tools look for in blocking spam.
i still have this question about how or why this linux box thinks it can send data to a loopback address (127.~). when i ping this the loopback from the console, it goes out to the world. i checked the hosts file, 127.~ localhost is there. however, i compared a *properly working* linux boxe's routing tables with this *improperly working* box, and i see a discrepancy. this machine in question doesn't have the 127.~ address in it's routing table. i reckon i could add it back, but i'm really wondering how this might have occurred. i suppose i could reboot the machine and see if it's re-added. could this machine have been tampered with?, would this be something someone would do intentionally? or, are chances better that this is a rookie oversight? sorry for the long and confusing reply, but hey, i'm a newbie... &)
thanks in advance for any further insight!
-thepeeratt
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.