Re: Attempt on smtpd / faking remote ip
you should also filter out 127.0.0.0/8 on any network interface but "lo".
so that spoofing with localhost-adresses is not possible anymore.
( for example:
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -o lo -p ALL -j ACCPET
iptables -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -o lo -p ALL -j ACCPET
iptables -A INPUT -s 127.0.0.0/8 -d 0/0 -p ALL -j REJECT
iptables -A OUTPUT -s 0/0 -d 127.0.0.0/8 -p ALL -j REJECT
maybe the same for private addresses that aren't allowed to come in on your
and for the mail script you use... check your weblog for the time you saw the
misterous connections in postfix. If there was something you should see the
hits the access.log
Am Sonntag 04 April 2004 13:52 schrieb Andreas Vent-Schmidt:
> Hi Andreas,
> thanks a lot for your hints.
> At 12:54 Uhr +0200 04.04.2004, Andreas John wrote:
> >It looks like your friend is trying to inject pakets into your smtp with
> >faked (spoofed) ips. In this particular case he sends as "localhost". I
> > guess ...
> >more likely that he tries to overflow postfix (unprobable) or procmail
> > (suid root? postfix in chroot?) or your viruskiller or or or .....
> It's very likely that you are right with this. Of course, postfix is in
> >Another possibility is that you have an http-server with a "formmail" in
> > this boxen. Mail via this from come from localhost. It's an usual manner
> > from spammers to exploit self-written mailforms by putting new header
> > lines (To and CC) into to subject line of the form. (I had a case where
> > they even put
> I know this kind of attack - but it's not that easy on the server in
> question: there is no standard "formmail.pl" or something like this.
> I believe that my PHP based contact (done myself) form is quite
> secure (there's no subject field or variable, all input is escaped
> and so on).
> >I don't want to spread fear, so
> >1.) Boot superrescue, knoppix or so
> >2.) Run chkrootkit (deb package is mostly a little old)
> >3.) If you run chkrotokit on Debian, chkrootkit reports one false
> > positive!
> It'll be done!
> Thanks again and have a good day!
> procommerz - Internet fuer Unternehmen
> http://www.procommerz.de | 033925-90710
> Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com