RE: Postfix trying to use invalid IP address...

From: Bill Cole (no email)
Date: Fri May 30 2008 - 13:13:28 EDT

  • Next message: Ralf Hildebrandt: "Re: amavis stops postfix still accepts mails"

    At 11:02 AM -0400 5/30/08, Dov Oxenberg wrote:
    >Hi Bill,
    >I think you are right on the money as I suspected the same thing.
    >In looking through my log files, there was a connection from the
    >Sony Network in Taiwan and then 90 minutes later my Postfix no
    >longer works.

    As Victor noted, spammers from all over the place connect to anything
    with a port 25 listener, and it is mostly harmless.

    When you suspect (but are not certain of) a system compromise, you
    have to cast a wider net than looking at connections to Postfix, but
    probably a narrower timeframe. You'd particularly want to know about
    logins, other processes logging oddities, files changing that should
    be static, etc.

    However, it seems like Victor identified the proximal cause of the
    problem, although you are still left with the oddity of why something
    on your system is taking a DNS query for 'all' and turning it into a
    query for 'all.com' instead. The only reason I immediately suggested
    the possibility of a compromise was the IP address 69.50.160.213.
    That address is in a block that has a rather poor reputation, with
    the whole /19 network currently being listed on the SBL and
    generating this: http://isc.sans.org/diary.html?storyid=997

    I agree with Victor that given everything you've found, this *does
    not* look like an attack. The nature of the problem with Postfix is
    quite clear now without postulating an attack.

    -- 
    Bill Cole                                  
    

  • Next message: Ralf Hildebrandt: "Re: amavis stops postfix still accepts mails"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD