Re: [Exim] some assistance please. mail hitting my server 1,…

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMNico Erfurth at <-
MNico Erfurth at ->
Delete this message
Reply to this message
Author: Michael J. Tubby B.Sc. \(Hons\) G8TIC
Date:  
To: k9register, exim-users
Subject: Re: [Exim] some assistance please. mail hitting my server 1,000 to 4,000 emails in seconds.
----- Original Message -----
From: "k9register" <admin@???>
To: <exim-users@???>
Sent: Thursday, January 09, 2003 1:44 PM
Subject: [Exim] some assistance please. mail hitting my server 1,000 to
4,000 emails in seconds.


> This is a multi-part message in MIME format.
> --
> [ Picked text/plain from multipart/alternative ]
> Hello group.
>
> My server has been hit for weeks at different times of the day with
> 1,000 to 4,000 emails in seconds, I have checked logs and watched top -c
> for hours and ran netstat -an and still am confused as to how these
> emails get in.
>
> they are sent to or from my server as nobody and to all different
> hotmail , yahoo and msn address, thosands of them all addressed to the
> same account.
>
> some mornings there are 12,000 emails in the queue, deleting them is not
> a problem apart from a few clients emails which get lost in the process.
>
> I have managed to stop them relaying out with some changes to exim.conf
> and shutting downsend mail, when watching top -c I get multiple sendmail
> procceses appear for a second and then gone, sure enough I check the
> queue and thousands are there.
>
> I have upgraded the kernal only yesterday, I run Bastille which is setup
> fairly well.
>
> Could I have some opinions as to how this sort of thing happens, I have
> searched the server for mail-bombs and any exploits, which might cause
> this, some have suggested its a client as my server is a webhosting
> server, but to get 13 megabytes into my server or out of it in seconds
> would take a good connection I would have thought.
>
> My exim.conf does not allow relaying.
>
> thankyou.
>
>

Other things you should check - people have used them against us or our
customer's machines in the past (or tried to):

a) do you run Squid proxy on the same machine? If so does it permit
method=CONNECT which may be used to inject email back into Exim
on localhost

b) do you run Apache web server on the same machine? Again does
it permit method=CONNECT allowing injection of email?

c) do you run a web server or CGI application with an old/broken
version of 'formail' which can also be exploited to deliver spam/uce?


Mike



















This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] OpenLDAP v2 client vs. v1 server issue in Exim 4.12[Exim] considerations about exim and cyrus->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)