1

I just noticed this strange warning in my syslog:

postfix/smtpd[26261]: warning: hostname localhost does not resolve to
    address 113.167.250.138

...which is then immediately followed by:

postfix/smtpd[26261]: connect from unknown[113.167.250.138]
postfix/smtpd[26261]: NOQUEUE: reject: RCPT from unknown[113.167.250.138]:
    550 5.1.1 <advertising@crestore.com>: Recipient address rejected: User
    unknown; from=<bseatz@somedomain.example.com>
    to=<advertising@mydomain.example.com> proto=ESMTP helo=<localhost>
postfix/smtpd[26261]: disconnect from unknown[113.167.250.138]

So I decided to do a traceroute from a different win machine and that remote IP resolved to the machine's HOSTNAME:

> tracert 113.167.250.138

Tracing route to MYHOSTNAME [113.167.250.138] over a maximum of 30 hops:

  1  MYHOSTNAME [113.167.250.138]
  2  [2-5 removed]
  6  ix-8-0-3-0.tcore1.CT8-Chicago.as6453.net [x.x.x.x]
  7  if-22-2.tcore2.CT8-Chicago.as6453.net [x.x.x.x]
  8  if-11-3.tcore2.PDI-PaloAlto.as6453.net [x.x.x.x]
  9  if-22-2.tcore2.LVW-LosAngeles.as6453.net [x.x.x.x]
 10  if-10-0-0-5.mcore5.LAA-LosAngeles.as6453.net [x.x.x.x]
 11  Request timed out.
 12  Request timed out.
 13  vdc.vn [123.29.5.170]
 14  vdc.vn [123.29.6.238]
 15  MYHOSTNAME [113.167.250.138]

Obviously it's a spammer trying to send mail to a local account on my server, but how does that IP address resolve to localhost/MYHOSTNAME by two of my machines?

Edit 1: I will remove the spammer's (apparent) IP from this question later today.

Edit 2: Well anyone can just look at the edit history, so I see no benefit in removing the spammer's IP address. Mods, I think it would be a good idea if you want to remove the IP permanently.

Jeff
  • 1,416
  • 3
  • 28
  • 50

3 Answers3

5

A person who owns an IP address can make it resolve to whatever host/domain name they want and a person who controls a domain can make its hosts resolve to whatever IP addresses they want.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
  • How does the owner make the IP resolve to MYHOSTNAME on the traceroute? That's what really got me confused. – Jeff Jul 14 '13 at 11:10
  • 1
    He could have put "MYHOSTNAME" down for the name, but it seems like your system somehow converted "localhost" to "MYHOSTNAME". (I checked the record and it appears to say "localhost", at least right now.) – David Schwartz Jul 14 '13 at 11:11
4

A much more likely explanation is that when the remote mail server connected to your server it sent a HELO localhost. This will generate precisely the error you are seeing if you (quite likely) have reverse lookups enabled.

David Hoelzer
  • 260
  • 3
  • 7
  • I thought the same thing until the traceroute resolved to localhost, too. – Jeff Jul 14 '13 at 16:07
  • @Jeff, both answers you got do not contradict but complement each other. David Hoelzer explained the reason for the error in the postfix log and David Schwartz explained your traceroute results. – Alex P. Jul 14 '13 at 16:52
0

Given this odd behaviour with the name resolution, it is possible that (to allow for EHLO LOCALHOST working), the spammer has managed to set his rDNS record (138.250.167.113.in-addr.arpa) to IN PTR localhost..

You can actually confirm this if you want to by using dig; this is in fact what they have done (and this is why it's not so bad to post the attacker's IP for all of us to see).

Then, what happens is that your windows computer sees this, and translates it to its own name (in windows traceroute). There are other hosts like this in the path too (such as 113.171.5.14). Linux won't do that translation.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
  • Thanks for the info. That's exactly what I thought @DavidSchwartz meant with his answer. More confirmation is always good! Regarding the IP address, someday somebody legitimate is going to be responsible for it. I'd hate to penalize "future stewards." – Jeff Jul 14 '13 at 18:44
  • Yeah, I just thought I'd add more detail. – Falcon Momot Jul 14 '13 at 18:53