Never whitelist localhostwhois -h whois.apnic.net 222.253.97.110 ... % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 222.253.32.0 - 222.253.175.255 netname: HCMPT-NET country: vn descr: Ho Chi Minh City Post and Telecom Company admin-c: NG102-AP tech-c: DQ79-AP status: ALLOCATED NON-PORTABLE changed: hm-changed@vnnic.net.vn 20061027 mnt-by: MAINT-VN-VNPT source: APNIC person: Nguyen Giang Do nic-hdl: NG102-AP e-mail: giangdo@hcmpt.com.vn address: 125 Hai Ba Trung, Dist 1, HCMC phone: +84-882-46476 fax-no: +84-882-46482 country: vn changed: hm-changed@vnnic.net.vn 20061025 mnt-by: MAINT-VN-VNPT source: APNIC person: Duong Quoc Viet nic-hdl: DQ79-AP e-mail: quocviet@hcmpt.com.vn address: 125 Hai Ba Trung, Dist1, HCMC phone: +84-882-46480 fax-no: +84-882-46482 country: vn changed: hm-changed@vnnic.net.vn 20061025 mnt-by: MAINT-VN-VNPT source: APNIC
Category: Spam miscellany
Technorati: Spam
1. Matthias Leisi08/10/2007 15:55:05
Homepage: http://www.dnswl.org/
Why would your whitelist trigger on the rDNS of the connecting IP address to start with? I sincerely hope Notes does not do this 
2. Chris Linfoot08/10/2007 16:35:09
Well, ours doesn't but it is possible to configure it that way. In fact we have "localhost" in our deny list because we've seen this before...
08/10/2007 14:51:41 SMTP Server [087C:000C-09AC] Connection from localhost rejected for policy reasons. Connecting host is denied in your configuration.
08/10/2007 14:51:41 SMTP Server: localhost (222.253.97.110) connected
08/10/2007 14:51:42 SMTP Server: localhost (222.253.97.110) disconnected. 0 message(s) received
I suspect this technique must work against some targets. These would probably be where more than one SMTP service is running on a single server, with one of these listening on port 25 and then forwarding received messages to the other. If that second service is also relaying outbound via the same service as is listing on port 25 inbound (perhaps a spam/virus scanner), then it is conceivable that this service may have been configured to accept connections from localhost and perhaps even to relay for localhost.
This exploit must work somewhere or they wouldn't do it. And look up the PTRs of other IPs in the same /23 network. Every one I have tried so far is localhost.
3. Chris Siebenmann09/10/2007 04:22:07
Homepage: http://utcc.utoronto.ca/~cks/space/blog/
No good system should be fooled by this reverse DNS anyways, since the forward name 'localhost' will not verify as pointing to that IP address (unless you specifically configure your DNS server to do that). Any system that blindly trusts reverse DNS without verifying it is open to any number of serious problems, since reverse DNS is completely under the control of an attacker; they could equally easily make it claim to be a hostname in your own domain.
(Pragmatically, I suspect that the 'localhost' DNS names are yet another example of the general phenomenon where some authority decrees that everything must have reverse DNS, but the people doing it either don't have any good names to put in or are a bit fuzzy on the whole concept.)
4. Chris Linfoot09/10/2007 09:38:39
@3 - you are right. No good system should be fooled.
Plenty of bad ones could be. Did you ever meet an Exchange administrator?
5. Oliver Regelmann13/10/2007 16:03:46
Homepage: http://n-komm.de/blog
If you do a reverse lookup on a Windows server (XP doesn't show the same behaviour) for this IP, e.g. by using this command
ping -a 222.253.97.110
it will not return localhost, but your own hostname. The same is given back to Domino when it checks a connecting server against his whitelist. So additionally you shouldn't whitelist your hostname or even your own domain either.
6. Chris Linfoot15/10/2007 11:59:39
@5: That would be W2K3 servers specifically. W2K correctly reports the PTR retrieved from DNS. W2K3 seems to find localhost, associate that with the local machine and resolve the remote IP as itself.
Nasty.
Unable to post a comment? Please read this for a possible explanation...
- 
