Re: [Exim] thousands and thousands of messages in the que..

Top Page
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim-users
Subject: Re: [Exim] thousands and thousands of messages in the que..
Hi Colin, on Sat, 8 Feb 2003 17:58:48 -0700 you wrote:

> I don't have an open relay


I rather suspect you do, albeit in a weird/limited kind of way.

> 2003-02-08 17:25:13 18hS6v-0003la-00 => fossil3@???
> 2003-02-08 17:25:20 18hS6o-00054l-00 => fosro@???

[etc.]

Hmm, certainly looks like someone's doing a dictionary attack or
alphabetical spam run through your machine.

> 2003-02-07 18:32:50 18hJrN-0004F5-00 <= 1775kocci1@???
> H=(hanmir.com) [211.59.151.92]:64750 I=[142.179.166.201]:25 P=smtp
> S=3158 id=118400-2200326813257593@??? T="=?ks_c_5601-1987?B?
> JiM0MDsmIzQ0MzA1OyYjNDQyNTY7JiM0MTv==?=
> \307\366\264\353\304\253\265\345
> \275\305\303\273\307\317\274\274\277\344,
> \307\366\264\353\304\253\265\345\270\270\300\307
> \306\257\272\260\307\324" from <1775kocci1@???> for
> falco93@???


211.59.151.92 seems to be the culprit. The \xxx stuff is encoded foreign
language.

> cat /opt/exim/configure


No, don't just post it verbatim - don't include comments (other than short
explanatory notes by yourself about why you've done a particular thing)
when posting configs to the list, especially with bad wrapping! It makes
it very slow/difficult to read through!

> acl_check_rcpt:
> accept hosts = :
> accept hosts = enkidu.infinithost.com
> accept hosts = ircd.lomag.net
> accept hosts = therightapproach.com
> accept hosts = ix.netcom.com
> accept hosts = *.ualberta.ca
> accept hosts = *.openbsd.org
> accept hosts = *.freebsd.org
> accept hosts = *.earthlink.com
> accept hosts = *.chater.net
> accept hosts = s142-179-166-202.ab.hsia.telus.net
> accept hosts = *.infinithost.com
> accept hosts = smtp.futureway.com
> accept hosts = firefoxmarketing.com
> accept hosts = cheerful-com.mr.outblaze.com
> accept hosts = cheerful.com


Woah. That looks nasty and is probably your problem. You *really* want to
let any of these hosts (*.earthlink.com in particular?) use you as a
relay? That's what you've just said.

I'm guessing you were trying to say "don't run RBL checks/strict HELO
checking/etc. against these hosts", but this is not the way to do it.
Well, not at this point in the config file anyway. What you've just said
is "accept from these hosts, and skip any further checking [including
checking if the mail is going to a local_domain])".

You'd be better setting up a hostlist "friendly_hosts" or something and
then using that as a negative condition for checks you want skipped for
them.

> deny dnslists =        bl.spamcop.net : \
>          relays.ordb.org : \
>          dnsbl.njabl.org : \
>          blackholes.wirehub.net : \
>          relays.visi.com : \
>          sbl.spamhaus.org : \
> deny  message  = Sender's domain is listed at $dnslist_domain


This is not relevant to your open relay problem, but I don't think you
intended the second 'deny'; it should look something vaguely like this:

deny  message  = whatever
      dnslists = blah : foo


And, incidentally, for the lists that you've chosen, it's not the sender's
domain that's listed, it's the sender's IP. You might want to revise your
error message to avoid confusion.

Tim