DonotTrustSelfByDefault |
Post Reply 
|
| Author | |
Keizersozay 
Guest Group 
|
 Post Options
 Thanks(0)
 Quote Reply
 Topic: DonotTrustSelfByDefaultPosted: 07 April 2004 at 3:33pm |
|
what is the purpose of the DoNotTrustSelfByDefault=0 entry in the spamfilter.ini file? lately I have seen this about three or four times a day in my log. 04/07/04 10:01:16:203 -- (10328) Connection from: 127.0.0.1 - Originating country : N/A I don't know why.. could someone be spoofing their IP to say 127.0.0.1? I added 127.0.0.1 to the blacklisted IP address file, but what is the 'do not trust selft by default' value for? would this be a better solution for me if I set it to 1 instead of 0 ? thanks for the help. |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4106 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 April 2004 at 10:28pm |
|
Keizersozay, I'm sorry, not only there's bugs in SpamFilter every now and then, but now the documentation has them too... The readme.html should actually say: ;by default SpamFilter will not allow any IP to relay thru it except for 127.0.0.1 (localhost). Change DoNotTrustSelfByDefault to 1 if you do not want localhost to be able to relay This means that by default, as yo can see in your logs, anything originating from 127.0.0.1 will be whitelisted. If you want to prevent that, then set the value DoNotTrustSelfByDefault=1 as you corretly pointed out. As for the cause of those connections, if it was a virus you'd be seing so many of those entries that you'd know immediately that it was indeed a virus. 3-4 a day indicate that the cause would be elsewhere. Roberto F. |
|
|
|
|
Desperado
Senior Member 
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 April 2004 at 3:40am |
|
If, and the if is because I do not know your setup, the 127.0.0.1 is originating from OUTSIDE your machine, then it is an IP Spoof. 127.0.0.1 should never arrive from outside and any properly configered router should never pass that address. I would run a sniffing application such as EtherReal to see if the IP is external. If so, you router or firewall is letting it through or some other machine on your local area network is in trouble. If it is not outside and is in fact originating from the machine itself, either you have some other application that is running SMTP or there is a virus present. I can not imagine any other cause. Regards, Dan S. |
|
|
|
|
Eric
Newbie 
Joined: 23 February 2005 Location: Netherlands Status: Offline Points: 7 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 February 2005 at 2:12pm |
|
take care, some spamdomains already use the locahost entry IN THEIR DNS so spamfilter might fail to do his/here job without the don`t trust self setting.
02-28-05 18:54:28:701 -- (1024) Connection from: 127.0.0.1 - Originating country : N/A 02-28-05 18:54:28:711 -- (1024) Resolving 127.0.0.1 - localhost.pregnancydailycalendar.com 02-28-05 18:54:28:711 -- (1024) Bypassed all rules for: CarolynPorter@pregnancydailycalendar.com from 02-28-05 18:54:29:051 -- (1024) EMail from to CarolynPorter@pregnancydailycalendar.com was queued. Size: 34 KB, 34816 bytes 02-28-05 18:54:29:061 -- (1024) Disconnect be prepared, do not relay for self / 127.0.0.1 |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4106 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 February 2005 at 3:57pm |
|
Eric,
The "Check for valid MX records" test actually looks out for such bogus entries and will reject the email if the 127.0.0 is in the spammer's DNS. Going back to the original question, the "DoNotTrustSelfByDefault" option looks at the actual IP making the remote connection, so 127.0.0.1 would have to be the atual IP address connecting to SpamFilter. That's pretty much impossible for now to trick, as even with IP spoofing the TCP connection requires data to be transmitted back and forth, so a fake IP would not allow the return packets to reach the spammer. |
|
|
|
|
Eric
Newbie
Joined: 23 February 2005 Location: Netherlands Status: Offline Points: 7 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 February 2005 at 5:34pm |
|
yes, and stay sharp, here, my isp`s dns was spoofed by an internal "1 hour" customer, most isp`s route the 10.0.0.0/8 etc priv space internally so everyone should be extra aware about their config....
now, ... in the domeinblock, the entry localhost.* should be there, and, ... in the from block *@localhost.* should be present. the posted ip is already in spamcop now. |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 February 2005 at 6:04pm |
|
Eric, Hmmm, I would question the statement "most isp`s route the 10.0.0.0/8 etc priv space internally". As an ISP, we go to great extremes to NEVER route any IP's that are not our PUBLIC, fully registered and BGP announced IP's Any Private IP's are safely behind a NAT Firewall and can never get to our border OR our public mail servers. Even in our backup location, where the hosting company there does a terrible job of managing private IP's, we use anti-spoofing in our PIX Firewalls to prevent our systems from ever seeing an internal "Spoof" or, as the case usually is, configuration errors. There is zero chance that any privite IP's can ever, under any conditions, leave our border. And ... if they did, our downstream provider would not route them anyway. Dan S.
|
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.277 seconds.