Author Topic: Clever Spammers  (Read 5180 times)

precisonline

  • President
  • Administrator
  • Rock Star
  • *****
  • Posts: 1601
    • Precision Solutions
Clever Spammers
« on: October 30, 2009, 05:04:48 pm »
A couple of days ago, as Colorado was being blanketed in snow, our local internet went down.  This led to a couple of days of madness with the phone company which was frustrating, but.. as they say, things happen for a reason.

When the connection to the outside world started yoyo-ing, I did what I always do - checked to see if there was any mail queued that was not going to be delivered in a reasonable window of time.  Imagine my surprise when I found the queue was chock-full of spam!

Digging deeper (while the network was down) I checked the logs only to find that untold someones have been connecting to my external mail interface with the IP address 127.0.0.1!  My mail server, configured according to reasonably standard rules and norms, thought this was all local traffic, and relayed it without question.  I have no idea how many messages sneaked through this way, but preliminary reviews of the logs from just this past week make me about want to puke.

I had no idea someone could masquerade as the loopback.  Though frustrated at the scramble to reconfigure my mail server to block this nastiness, I have to admit this is perhaps the most clever attack I've seen in a long time.  I mean, hey, I get hit with dictionary attacks every day, a periodic DoS attempt, and an occasional IP flood, but this is the first time I've seen this kind of thing.  Even more scary is that as I search the internet, there are hundreds of sites recommending the exact same mail configuration that I have been using and very few talking about how to correct the exploit!  In short, there could be MILLIONS of mail servers configured just like this and spammers who use this spoofing technology are likely having a heyday pushing their crap through doors that most system administrators might not even realize are open.

So I write this as an impassioned plea to all system administrators to check your mail logs and see that the loopback is being properly protected on your external interfaces.  I can't think of a single instance where the loopback should connect to the external interface, so any traffic received on an external interface with the source address of 127.0.0.1 is - without question - the boogeyman.
-Kevin
Accidents "happen"; success, however, is planned and executed.

precisonline

  • President
  • Administrator
  • Rock Star
  • *****
  • Posts: 1601
    • Precision Solutions
Re: Clever Spammers
« Reply #1 on: October 31, 2009, 10:09:05 am »
An update: There are certain spam hosts whose name resolves to "localhost"  (nslookup 123.16.216.190 for an example).  This spoof fools mail systems configured to accept local mail without question.  If you disable mail from localhost, however, any legitimate mail sent from the system - such as logs, status updates, health reports, etc. - will be suppressed and that could be a VERY bad side effect.

Solution: Change your hosts file to resolve 127.0.0.1 to something other than localhost, like local(yourfavoritecartoonname).  It can't just be "local" or anything easy, if we all did that it'll be mere moments before spammers figure that one out so it has to be something non-intuitive.  Yes, this does violate a longstanding standard, but considering the only people who really need "localhost" are the admins who will be coming up with it's replacement, I believe the violation is acceptable if it stops - or at least slows - the tide of spam.

Of course, someone somewhere is going to find a way around this, but if we make it difficult enough for them to take that next step, maybe, just maybe, we can convince a few spammers to consider getting a real job.
-Kevin
Accidents "happen"; success, however, is planned and executed.

precisonline

  • President
  • Administrator
  • Rock Star
  • *****
  • Posts: 1601
    • Precision Solutions
Re: Clever Spammers
« Reply #2 on: November 01, 2009, 10:13:36 am »
One more update.  In addition to people connecting to my machine with a spoofed 127.0.0.1 I have also learned that some of this spam was actually originating from this machine!  Hacked?  No.  Misconfigured?  Definitely.

Somewhere buried in the spam/virus filter was an option that said that once something was determined to be ugly, it would then get emailed to a centralized station for evaluation and removal.  Not entirely certain how this happened, but the recipient was not being changed to this removal station.  Therefore, this machine was receiving the message, marking it as bad, and then forwarding it on!  Man, I feel so dirty.

Needless to say, this has now been stopped.  Not all that surprisingly, my internet connection is feeling awfully spry now that all this bandwidth sucking slime has been stopped!  Of course, we still have the daily dictionary attacks going on, but until someone finds a way to send a nuclear warhead back through the line and blow the hell outta these idiots, I suppose that'll just have to be something we live with.
-Kevin
Accidents "happen"; success, however, is planned and executed.

Tom Pellitieri

  • Rock Star
  • *****
  • Posts: 223
  • Tom Pellitieri - Toledo, Ohio
Re: Clever Spammers
« Reply #3 on: November 02, 2009, 06:48:52 am »
... until someone finds a way to send a nuclear warhead back through the line and blow the hell outta these idiots, I suppose that'll just have to be something we live with.

Glad to know you're not bitter!!  ;D

precisonline

  • President
  • Administrator
  • Rock Star
  • *****
  • Posts: 1601
    • Precision Solutions
Re: Clever Spammers
« Reply #4 on: November 02, 2009, 07:00:32 am »
Bitter?  Nah.  Decisive?  Maybe...

This experience has taken many hours of my life to work out this past week, hours I may never get back.  Seems right that someone, somewhere should lose an equal or greater amount of their life, don't it?
-Kevin
Accidents "happen"; success, however, is planned and executed.