Re: [courier-users] I've been owned :( How do I prevent it in the future?

[Phillip Hutchings]

Use a firewall to block 127.0.0.1 (or whatever the block is,  
127.0.0.0/8?) from coming in from eth0 and eth1

eg:

iptables -A INPUT -i eth0 --source 127.0.0.1 --destination 127.0.0.1 -j  
REJECT
iptables -A INPUT -i ppp0 --source 127.0.0.1 --destination 127.0.0.1 -j  
REJECT
etc

On Wednesday, Sep 17, 2003, at 15:19 Pacific/Auckland, Eric Livingston  
wrote:

Somebody figured out how to spoof their email so it looked like it was
coming from localhost, and thus was able to relay through my server, as
shown below. I've removed 127.0.0.1 from smtpaccess/default to  
hopefully
block this attack in the future. Is that the right thing to do? Why  
did the
server accept the mail at all if it was from <>? I have dns checking  
turned
on, and the log does show that bogus from domains are rejected. Isn't  
an
empty domain bogus? What rule do I need to ensure that mail from <>  
never
gets accepted? How do I prevent this spoofing attack from working in  
the
future? I'm frustrated that I was used like this. I think this paki.com
message was the initial message that alerted whoever that is that my  
server
would bounce spoofed messages from 127.0.0.1, since it then began  
sending
tons of messages through my server formatted the same way... I hope my
removal of 127.0.0.1 from the access file will stop this - but what  
might I
have broken by doing so?

Thanks for any help,
Eric
log-2003-09-17-02:19:42:Sep 16 20:53:35 [courierd]
newmsg,id=000CA6A2.3F67B08E.00004329: dns; localhost (localhost  
[127.0.0.1])
log-2003-09-17-02:19:42:Sep 16 20:53:35 [courierd]
started,id=000CA6A2.3F67B08E.00004329,from=<>,module=esmtp,host=paki.co 
m,add
r=<[EMAIL PROTECTED]>
log-2003-09-17-02:19:42:Sep 16 20:53:41 [courieresmtp]
id=000CA6A2.3F67B08E.00004329,from=<>,addr=<[EMAIL PROTECTED]>: 250  
2.0.0
h8H0KUwT008063 Message accepted for delivery
log-2003-09-17-02:19:42:Sep 16 20:53:41 [courieresmtp]
id=000CA6A2.3F67B08E.00004329,from=<>,addr=<[EMAIL PROTECTED]>,size=115 
78,su
ccess: delivered: mailrecv.bigmailbox.com [209.132.220.133]
log-2003-09-17-02:19:42:Sep 16 20:53:41 [courieresmtp]
id=000CA6A2.3F67B08E.00004329,from=<>,addr=<[EMAIL PROTECTED]>,size=115 
78,st
atus: success
log-2003-09-17-02:19:42:Sep 16 20:53:41 [courierd]
completed,id=000CA6A2.3F67B08E.00004329


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users