Portal Home > Knowledgebase > Articles Database > How is spammer getting around Exim Relay blocks?
How is spammer getting around Exim Relay blocks?
| Posted by Frontpage, 04-29-2010, 12:19 PM |
| This server is a Centos/Cpanel/Exim setup.
The mail for this certain domain is currently setup to use Googleaps.
However, our Firewall just detected an unauthorized user who logged in via SMTP and sent spam.
There are currently no email accounts set up for this account. So it is not a password issue. There has to be an exploit out there.
Here is a sample of the server log:
I cant figure out how they are doing it. They only accessed the server once according to our logs and logged in via SMTP to relay spam.
We banned the IP but how the hell did they do it?
The domain logs show zero access activity other than our IP.
|
| Posted by Frontpage, 04-29-2010, 12:21 PM |
| Hell, I would be happy just to get an Exim rule that blocks BCC's, that would definitely cut down on any spam that gets through.
|
| Posted by david510, 04-29-2010, 01:53 PM |
| Check the message ID from the exim log file.
|
| Posted by PsyberMind, 04-29-2010, 04:46 PM |
| Here's an Exim rule for dropping BCC
|
| Posted by Frontpage, 04-29-2010, 06:51 PM |
| Here is the sanitized log output:
I modified my Exim to ban CC and BCC, so hopefully that will help.
|
| Posted by Frontpage, 05-04-2010, 11:35 AM |
| I do believe there is an exploit in the Exim system somewhere.
The spammers were able to use Auth Relay to send spam as an authenticated user via an IP on the server that has no website or email accounts.
I have been able to ban the IP's via the Exim blacklist and then added a filter that limits the number of email recipients to prevent 300+ email receipents.
I have verify sender on, SPF checking on, Mailscanner, and no email clients like Squirrel installed.
These folks are somehow tricking Exim to relay spam through my server and I don't have the foggiest idea how they are doing it as other attempts at relaying are stopped complete with the error notice.
For those in the same boat, this is what I did to limit the number of receipts in the Exim config file.
|
| Posted by JawadA, 05-07-2010, 04:53 PM |
| I would recommend you enable extended logging on your server for a few days and then sift through the logs to find the script/application generating these emails. Just add the line below in "WHM >> Exim Configuration Editor".
log_selector = +all
cPanel servers are prone to this problem of spam. Also, I enable SMTP tweak and disable POP before SMTP authentication for cPanel servers as an anti spam measure.
http://etwiki.cpanel.net/twiki/bin/v...cs/RequireSMTP
Allowing spammers to successfully make just 1 authentication via POP and give them 30 minutes of to send tonnes of emails unchecked is quite extreme. Disabling POP before SMTP is a wise option. This, along with extended logging helps me keep spammers off the servers most of the times.
Last edited by JawadA; 05-07-2010 at 04:58 PM.
|
| Posted by Frontpage, 05-10-2010, 08:25 AM |
| Thanks for the tip, JawadA. I already had those measures implemented and it made no difference.
Somehow spammers were able to authenticate on an reserved IP that has no website, no email accounts, and no FTP. I do believe that there is an exploit out in the wild targeting Cpanel.
What I have a problem with is the flow chart of the Exim ACL's. I added 'verify sender' prior to authentication which cut down on attempts as 90%+ were bogus. I wish I could get the RBL blacklist checks prior to the authentication to further cut down on attempts.
I have been manually adding bad IP blocks to the Exim blacklist after reviewing my logs each day.
I even have the Mailserver disabled.
Since I have done this, there have been no more successful relays.
Last edited by Frontpage; 05-10-2010 at 08:31 AM.
|
| Posted by pkhunter, 04-10-2012, 10:10 AM |
| Hi. Did you ever figure this out?
I have everything possible setup and blocked in WHM and in CSF/LFD, but somehow relays are still happening.
|
| Posted by brianoz, 04-10-2012, 10:15 PM |
| They seem to be stealing SMTP Auth passwords and using those recently, could it be that?
|
| Posted by Server Adminz, 04-11-2012, 01:00 PM |
| This means that the remote machine was able to authenticate as user "user" and then sent email. Looks like this cpanel account is hacked. You need to change its password ASAP.
|
Add to Favourites 
Print this Article
Also Read
