From: Bill Cole (no email)
Date: Fri May 30 2008 - 13:13:28 EDT
At 11:02 AM -0400 5/30/08, Dov Oxenberg wrote:
>I think you are right on the money as I suspected the same thing.
>In looking through my log files, there was a connection from the
>Sony Network in Taiwan and then 90 minutes later my Postfix no
As Victor noted, spammers from all over the place connect to anything
with a port 25 listener, and it is mostly harmless.
When you suspect (but are not certain of) a system compromise, you
have to cast a wider net than looking at connections to Postfix, but
probably a narrower timeframe. You'd particularly want to know about
logins, other processes logging oddities, files changing that should
be static, etc.
However, it seems like Victor identified the proximal cause of the
problem, although you are still left with the oddity of why something
on your system is taking a DNS query for 'all' and turning it into a
query for 'all.com' instead. The only reason I immediately suggested
the possibility of a compromise was the IP address 220.127.116.11.
That address is in a block that has a rather poor reputation, with
the whole /19 network currently being listed on the SBL and
generating this: http://isc.sans.org/diary.html?storyid=997
I agree with Victor that given everything you've found, this *does
not* look like an attack. The nature of the problem with Postfix is
quite clear now without postulating an attack.
-- Bill Cole