Auteur: Michael J. Tubby B.Sc. \(Hons\) G8TIC Date: À: k9register, exim-users Sujet: Re: [Exim] some assistance please. mail hitting my server 1,000 to 4,000 emails in seconds.
----- Original Message -----
From: "k9register" <admin@???>
To: <exim-users@???>
Sent: Thursday, January 09, 2003 1:44 PM
Subject: [Exim] some assistance please. mail hitting my server 1,000 to
4,000 emails in seconds.
> This is a multi-part message in MIME format.
> --
> [ Picked text/plain from multipart/alternative ]
> Hello group.
>
> My server has been hit for weeks at different times of the day with
> 1,000 to 4,000 emails in seconds, I have checked logs and watched top -c
> for hours and ran netstat -an and still am confused as to how these
> emails get in.
>
> they are sent to or from my server as nobody and to all different
> hotmail , yahoo and msn address, thosands of them all addressed to the
> same account.
>
> some mornings there are 12,000 emails in the queue, deleting them is not
> a problem apart from a few clients emails which get lost in the process.
>
> I have managed to stop them relaying out with some changes to exim.conf
> and shutting downsend mail, when watching top -c I get multiple sendmail
> procceses appear for a second and then gone, sure enough I check the
> queue and thousands are there.
>
> I have upgraded the kernal only yesterday, I run Bastille which is setup
> fairly well.
>
> Could I have some opinions as to how this sort of thing happens, I have
> searched the server for mail-bombs and any exploits, which might cause
> this, some have suggested its a client as my server is a webhosting
> server, but to get 13 megabytes into my server or out of it in seconds
> would take a good connection I would have thought.
>
> My exim.conf does not allow relaying.
>
> thankyou.
>
>
Other things you should check - people have used them against us or our
customer's machines in the past (or tried to):
a) do you run Squid proxy on the same machine? If so does it permit
method=CONNECT which may be used to inject email back into Exim
on localhost
b) do you run Apache web server on the same machine? Again does
it permit method=CONNECT allowing injection of email?
c) do you run a web server or CGI application with an old/broken
version of 'formail' which can also be exploited to deliver spam/uce?