Naming Trick Opens Mail Servers

[Peaches]

6 August 2009, 15:45

Naming trick opens mail servers

A number of Vietnamese spam sources are currently attracting attention because the spammers have equipped the relevant hosts with DNS pointer records called "localhost". As a result, IP addresses like 123.27.3.81, 222.252.80.188 or 123.16.13.188 produce this name when a reverse look-up occurs. The problem is caused by badly configured Domain Name Systems, as "localhost" should generally translate to a single IP address – 127.0.0.1 – which is reserved for local system loopback.

Some mail servers are configured in such a way that they don't even accept emails from clients that exhibit a name that returns an obviously incorrect reverse lookup. However other mail servers give preferential treatment to "localhost" and grant the Far-Eastern clients a special privilege, namely the "relaying" of emails to arbitrary recipients even outside the local network, because the servers or administrators have assumed that "localhost" is part of the local network.

Mail server operators must make sure they avoid falling victim to this trick. For example, they can make relays only available from local IP addresses and not identify clients by reverse look-up DNS names. Normal open relay tests don't produce an alert in this case, because the test client usually isn't called "localhost". Several vulnerable mail servers have already been added to the iX blacklist. In addition to blacklisting, the operators of open relays potentially face having to pay damages to spam or malware recipients.

(djwm)

Heise security - http://www.h-online.com/security/Naming-tr...s--/news/113946