Hi there,
today we got hit by a spam attack, which to my surprise was successfull.
Our config looked like this:
------------------------------------------------------------
relay_domains_include_local_mx = true
host_lookup = *
host_accept_relay = +warn_unknown:localhost:192.168.0.0/24:mysql;MYSQL_RELAY
rbl_domains = blackholes.mail-abuse.org/warn : \
dialups.mail-abuse.org/warn : \
relays.mail-abuse.org/warn : \
relays.orbs.org/warn
------------------------------------------------------------
There were 2 things I noticed:
1. Some spammers (there were several) used a sender domain with a MX record
pointing to 127.0.0.1 (tricky, eh?).
Although "relay_domains_include_local_mx = true" should not be affected by
this (there is no MX record of the recipient address pointing to 127.0.0.1)
sender checks based on local mx entries will be affected by this.
2. The spammers used IP addresses without reverse mapping. In the logs I saw
that they were permitted (!) to relay, although they were not in any list of
host_accept_relay. I suppose this is due to the +warn_unknown. All IPs if
the spammers were listed in rbl databases.
I immediately changed my config to this:
------------------------------------------------------------
# relay_domains_include_local_mx = true
host_lookup =
host_accept_relay = 127.0.0.1:192.168.0.0/24:mysql;MYSQL_RELAY
rbl_domains = blackholes.mail-abuse.org/warn : \
dialups.mail-abuse.org/warn : \
relays.mail-abuse.org/warn : \
relays.orbs.org/warn : \
inputs.orbz.org/warn : \
outputs.orbz.org/warn
------------------------------------------------------------
I removed relay on mx (although it has nothing to do with this particular
attack), added all domains we relay for and which are not listed in
local_domains to relay_domains, changed host_lookup to not enforce dns
lookups on everything and changed "localhost" to "127.0.0.1" because I found
in the archives, that I need to remove list entries which make a dns lookup
of the sender address (from left to right).
My problems are now:
1. I'm getting lots of "refused relay (host) to <my.address> (failed to find
host name from IP address)", although my.address is a valid local address.
This is due to removal of +warn_unknown, ok. But if I enable +warn_unknown,
then everybody without reverse dns is able to use us as an open relay,
because then they are valid for host_accept_relay, is this right? How can I
configure Exim to accept mail to local domains even from unresolvable hosts?
How can I see if a host was rejected because of no reverse lookup or not
listed in host_accept_relay (error message seems to be the same)?
2. As many of german dialup IPs are listed in orbs, I cannot use rbl reject.
Does Exim allow those hosts to use us as a relay if
a) they are listed in rbl and i use rbl reject
and
b) they are listed in host_accept_relay
?
Which comes first? Can i use rbl reject if my rbl'ed dialup users are in
host_accept_relay?
Hope this is not too confusing :-)
Please reply also via mail to me directly , because I'm not subscribed to
the list (too many mails, ever thought about splitting up the list?).
greetings,
Bjoern