Mounir ORFI

Yet another network engineer...

Why Vietnam Resolves to Localhost

| Comments

Today I discovered that The Country of Vietnam Resolves to Localhost

List of prefixes that resolves to localhost

I used the following Bash script to retrieve the list of prefixes that resolves to localhost:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/bash

FILE="prefixes_AS7643"
exec 3< $FILE

while read <&3
do 
  if [[ `dig +short -x $REPLY` == *localhost* ]]
  then
      echo "$REPLY";
  fi
done

exec 3>&-

The result is as follow:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
113.174.0.0/19
113.174.32.0/19
113.174.64.0/19
113.174.96.0/19
113.174.128.0/19
113.174.160.0/19
113.174.192.0/19
113.174.224.0/19
113.175.0.0/19
113.175.32.0/19
113.175.64.0/19
113.175.96.0/19
113.175.128.0/19
113.175.160.0/19
113.175.192.0/19
113.175.224.0/19
113.191.32.0/19
113.191.64.0/19
113.191.96.0/19
113.191.128.0/19
113.191.160.0/19
113.191.192.0/19
113.191.224.0/19
123.30.4.0/23
123.31.0.0/19
123.31.3.0/24
123.31.4.0/24
123.31.8.0/24
123.31.9.0/24
123.31.10.0/24
123.31.11.0/24
123.31.12.0/24
123.31.16.0/24
123.31.17.0/24
123.31.26.0/24
123.31.32.0/19
123.31.64.0/19
123.31.96.0/19
123.31.128.0/19
123.31.160.0/19
123.31.192.0/19
123.31.224.0/19
203.160.0.0/23
203.162.128.0/20
203.162.150.0/23
203.162.150.0/24
221.132.0.0/20
221.132.48.0/20
221.132.48.0/24
221.132.49.0/24
221.132.50.0/24
221.132.51.0/24
221.132.52.0/24
221.132.54.0/24
221.132.55.0/24

Why ?

I knew that it has to do with SPAM, after some googling duckduckgoing it turned out that indeed it was used (I hope all email servers are patched by now) to bypass spam filters on mail servers that rely on FCrDNS as a form of authentication

A FCrDNS verification can create a weak form of authentication that there is a valid relationship between the owner of a domain name and the owner of the network that has been given an IP address. While weak, this authentication is strong enough that it can be used for whitelisting purposes because spammers and phishers can not usually by-pass this verification when they use zombie computers for mail spoofing. That is, the reverse DNS might verify, but it will usually be part of another domain than the claimed domain name.

The original blogpost describing the vulnerability (dates back to August 2009):

number of Vietnamese spam sources are currently attracting attention because the spammers have equipped the relevant hosts with DNS pointer records called “localhost”. As a result, IP addresses like 123.27.3.81, 222.252.80.188 or 123.16.13.188 produce this name when a reverse look-up occurs. The problem is caused by badly configured Domain Name Systems, as “localhost” should generally translate to a single IP address – 127.0.0.1 – which is reserved for local system loopback.

Some mail servers are configured in such a way that they don’t even accept emails from clients that exhibit a name that returns an obviously incorrect reverse lookup. However other mail servers give preferential treatment to “localhost” and grant the Far-Eastern clients a special privilege, namely the “relaying” of emails to arbitrary recipients even outside the local network, because the servers or administrators have assumed that “localhost” is part of the local network.

Mail server operators must make sure they avoid falling victim to this trick. For example, they can make relays only available from local IP addresses and not identify clients by reverse look-up DNS names. Normal open relay tests don’t produce an alert in this case, because the test client usually isn’t called “localhost”. Several vulnerable mail servers have already been added to the iX blacklist. In addition to blacklisting, the operators of open relays potentially face having to pay damages to spam or malware recipients.

Comments