[Exim] Re: Broken in...

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMGururajan Ramachandran at <-
Dave C. at ->
Delete this message
Reply to this message
Author: Derrick 'dman' Hudson
Date:  
To: exim-users
Subject: [Exim] Re: Broken in...
--
On Mon, Jul 15, 2002 at 01:54:12PM -0400, Gururajan Ramachandran wrote:
|
| Hello,
|
| It seems someone found a hole in our Exim 3.12 system over the weekend and
| started using our email server to relay junk email. The turning off
| relay was already in place. They found some other hole by using a
| specific username. I have had to turn off this username via the
| system filter to temporarily disable the stream of email filling up
| the mail queue. Now the log has a whole bunch of messages that looks
| like this:
|
| 2002-07-15 13:30:42 17U9gI-0000uU-00 <= user@ourdomain U=user P=local S=1168
                                                                ^^^^^^^

| 2002-07-15 13:30:42 17U9gI-0000uU-00 => discarded (message_filter)
| 2002-07-15 13:30:42 17U9gI-0000uU-00 Completed
|
| I have changed the actual username and domain but the general idea
| should be clear.
|
| The problem is that it does not list sending host or any other info.

It came from your own machine. It didn't come from an SMTP session,
but rather someone invoking /usr/sbin/exim and piping the message in.

| I do not have enough knowledge to figure out how to track down where
| this stuff is coming from...
|
| Does anybody know how I can shut this off? It seems the Exim system
| thinks these emails are actually being generated locally?

They are.

| Please help as I need to make this username accessible again as
| internal automated emails are generated via username.

Just a guess, does that user have a 'formmail.pl' script somewhere?
That's a well known way for spammers to use HTTP to anonymously relay
through you and make you look like a spammer.

What I would do is create a shell script of some sort and place it as
/usr/sbin/exim. This wrapper will log everything you can think of (eg
the output of /usr/bin/env) so that you can see how that user is
invoking exim.

HTH,
-D 

--
Your beauty should not come from outward adornment, such as braided hair
and the wearing of gold jewelry and fine clothes.  Instead, it should be
that of your inner self, the unfading beauty of a gentle and quiet
spirit, which is of GREAT WORTH in God's sight.  For this is the way the
holy women of the past used to make themselves beautiful.
        I Peter 3:3-5


http://dman.ddts.net/~dman/
--
[ Content of type application/pgp-signature deleted ]
--


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] Broken in...Re: [Exim] Return code from EXPN->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)