[Wolves] Exim relay problem

Adam Sweet drinky76 at yahoo.com
Wed Jun 14 22:24:29 BST 2006


--- Wayne Morris <wayne at machx.co.uk> wrote:

> Wayne Morris wrote:
> 
> > Hi,
> >
> > Just noticed that my exim 4 email server (on FC3)
> has become an open 
> > relay.
> > Here are the first few lines of a sample incoming
> spam email:
> >
> >
> > Maybe I'm reading it wrong, but it appears to be
> getting through 
> > because the relayer is spoofing its address as
> 127.0.0.1 which EXIM 
> > was set to allow.
> > However, I have blocked relaying fro 127.0.0.1 and
> its still getting 
> > through.
> >
> > Any ideas?
> >
> >
> Right, removing 'relay from 127.0.0.1' DID stop the
> message being 
> relayed, but the message was being bounced back to
> me as an error.
> I've now renamed the email server, so relays are
> rejected and bounces go 
> to null.
> 
> But how do I stop the attack/ and or find out and
> block the ip address 
> of the attacking pc - my Eximon just shows incoming
> mail from 127.0.0.1 
> and my hostname?

To be honest, I'd not thought of a web form or CGI
like David suggested, but I've seen it happen and it
can get pretty busy quickly if word gets passed
around.
Can you look at the 'received' headers as these can't
be falsified as far as I know. I can give you some
config that will refuse mail from remote hosts
claiming to be your own IP address, but that won't
help you in this case as the stuff appears to be
coming from 127.0.0.1.

What does this mail server do? Just mail you logs and
whatnot, or are there real users' mail there? If it
just mails you logs etc then stopping localhost from
relaying will stop that and you may as well not run
the daemon.

I can pass you some config to try and tighten up if
there are real mailboxes involved though I believe for
quite a few of these parts you need exim4-heavy which
is exim4 with the exiscan patch, there are Debian
binaries available, I think there were FC ones too
when I tried. Without exim4-heavy/exiscan patch your
blocking abilities are limited and so is my knowledge.
If the spam is coming from localhost then exim4-heavy
and all ofthe filtering in the world isn't going to
help you.

For a good idea of some exim spam tightening
techniques (with exim4-heavy), have a look at the
Vexim config and http://www.sput.nl/software/exim.html
(Debian specific I'm afraid, though I'm sure similar
ones for FC exist).

If you have users, SMTP authentication would be a
great start (look at Vexim's config, although it uses
MySQL). You can then block anyone who can't
authenticate and also add all kinds of fancy blocking
on people (SPF, RBLs and other from above link -
though some are REALLY strict and block anyone whose
server is misconfigured, which after some
experimentation, seems to be half the net).

If you need bits of config I can help you, but a web
form sounds like the first port of call. If the
earliest received header is form localhost then thats
where the mail is originated, especially if the user
is apache at servername, though that can be spoofed.

Which leads me on to an exim question of my own...

Ad

-- 

http://www.drinky.org.uk

http://blog.adamsweet.org

Send instant messages to your online friends http://uk.messenger.yahoo.com 



More information about the Wolves mailing list