On Mon, 15 Jul 2002, Gururajan Ramachandran wrote:
>
> Hello,
>
> It seems someone found a hole in our Exim 3.12 system over the weekend and
> started using our email server to relay junk email. The turning off relay was already
> in place. They found some other hole by using a specific username. I have had to
> turn off this username via the system filter to temporarily disable the stream of email
> filling up the mail queue. Now the log has a whole bunch of messages that looks like
> this:
>
> 2002-07-15 13:30:42 17U9gI-0000uU-00 <= user@ourdomain U=user P=local S=1168
"P=local" - the message is not entering your system via SMTP, but from a
local process. Perhaps you have an insecure formmail script installed in
the webserver cgi-bin ?
> 2002-07-15 13:30:42 17U9gI-0000uU-00 => discarded (message_filter)
> 2002-07-15 13:30:42 17U9gI-0000uU-00 Completed
>
> I have changed the actual username and domain but the general idea should be clear.
>
> The problem is that it does not list sending host or any other info. I do not have enough
> knowledge to figure out how to track down where this stuff is coming from...
>
> Does anybody know how I can shut this off? It seems the Exim system thinks these
> emails are actually being generated locally?
The *are* being received by exim locally from some other process calling
exim. Where the other processes might be getting them, exim does not
know, nor can it.
>
> I found the "forbid_domain_literals" option and set it to true and restarted the Exim 3.12
> but maybe that was not the solution.
>
> Please help as I need to make this username accessible again as internal automated emails
> are generated via username.
>
> Thanks,
>
> Guru
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>