Re: [Exim] thousands and thousands of messages in the que..

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Colin Harford
Fecha:  
A: exim-users
Asunto: Re: [Exim] thousands and thousands of messages in the que..
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Okay, so now, I have a little more time.


Sorry for the cat of the config, as I was on my way out the door, and
wanted to get things out to the list...


Going through the logs, I see this:

2003-01-30 23:35:44 SMTP connection from [61.254.207.176]:64311 (TCP/IP
connection count = 1)
2003-01-30 23:35:49 18eUmC-0000BU-00 SA: SAEximRunCond expand returned:
'1'
2003-01-30 23:35:49 18eUmC-0000BU-00 SA: check succeeded, running spamc
2003-01-30 23:35:56 18eUmC-0000BU-00 SA: SAEximRejCond expand returned:
'1'
2003-01-30 23:35:56 18eUmC-0000BU-00 SA: Writing message to
/var/spool/exim/SAtempreject/new/410-22003153165324265@???
2003-01-30 23:35:56 18eUmC-0000BU-00 SA: local_scan temporarily
rejected message: hits=11.1 required=7.1 trigger=10.0 (scanned in 7/7
secs). From <kocci1@???> (host=NULL [61.254.207.176]) for
ahn901222@???
2003-01-30 23:35:56 18eUmC-0000BU-00 temporarily rejected by
local_scan(): Heuristics guessed that this message was spam:\nhits=11.1
required=7.1 trigger=10.0, so it is temporarilty rejected.\nAdmins may
whitelist this and it may be accepted when you resubmit it.
2003-01-30 23:35:56 SMTP connection from (hanmir.com)
[61.254.207.176]:64311 closed by QUIT


This is exim-4.12 with sa-exim-2.2 (local_scan) [see
http://marc.merlins.org/linux/exim/sa.html].

So, I have tweaked a few settings of spamassasin. Since I did that mad
delete there hasn't been any more of those messages in my que...

CH



On Sunday, February 9, 2003, at 02:19 AM, Tim Jackson wrote:

> Hi Colin, on Sat, 8 Feb 2003 17:58:48 -0700 you wrote:
>
>> I don't have an open relay
>
> I rather suspect you do, albeit in a weird/limited kind of way.
>
>> 2003-02-08 17:25:13 18hS6v-0003la-00 => fossil3@???
>> 2003-02-08 17:25:20 18hS6o-00054l-00 => fosro@???
> [etc.]
>
> Hmm, certainly looks like someone's doing a dictionary attack or
> alphabetical spam run through your machine.


Ya, I'm guessing something like that
>
>> 2003-02-07 18:32:50 18hJrN-0004F5-00 <= 1775kocci1@???
>> H=(hanmir.com) [211.59.151.92]:64750 I=[142.179.166.201]:25 P=smtp
>> S=3158 id=118400-2200326813257593@??? T="=?ks_c_5601-1987?B?
>> JiM0MDsmIzQ0MzA1OyYjNDQyNTY7JiM0MTv==?=
>> \307\366\264\353\304\253\265\345
>> \275\305\303\273\307\317\274\274\277\344,
>> \307\366\264\353\304\253\265\345\270\270\300\307
>> \306\257\272\260\307\324" from <1775kocci1@???> for
>> falco93@???
>
> 211.59.151.92 seems to be the culprit. The \xxx stuff is encoded
> foreign
> language.
>
>> cat /opt/exim/configure
>
> No, don't just post it verbatim - don't include comments (other than
> short
> explanatory notes by yourself about why you've done a particular thing)
> when posting configs to the list, especially with bad wrapping! It
> makes
> it very slow/difficult to read through!
>
>> acl_check_rcpt:
>> accept hosts = :
>> accept hosts = enkidu.infinithost.com
>> accept hosts = ircd.lomag.net
>> accept hosts = therightapproach.com
>> accept hosts = ix.netcom.com
>> accept hosts = *.ualberta.ca
>> accept hosts = *.openbsd.org
>> accept hosts = *.freebsd.org
>> accept hosts = *.earthlink.com
>> accept hosts = *.chater.net
>> accept hosts = s142-179-166-202.ab.hsia.telus.net
>> accept hosts = *.infinithost.com
>> accept hosts = smtp.futureway.com
>> accept hosts = firefoxmarketing.com
>> accept hosts = cheerful-com.mr.outblaze.com
>> accept hosts = cheerful.com
>
> Woah. That looks nasty and is probably your problem. You *really* want
> to
> let any of these hosts (*.earthlink.com in particular?) use you as a
> relay? That's what you've just said.
>
> I'm guessing you were trying to say "don't run RBL checks/strict HELO
> checking/etc. against these hosts", but this is not the way to do it.
> Well, not at this point in the config file anyway. What you've just
> said
> is "accept from these hosts, and skip any further checking [including
> checking if the mail is going to a local_domain])".
>
> You'd be better setting up a hostlist "friendly_hosts" or something and
> then using that as a negative condition for checks you want skipped for
> them.
>
>> deny dnslists =        bl.spamcop.net : \
>>          relays.ordb.org : \
>>          dnsbl.njabl.org : \
>>          blackholes.wirehub.net : \
>>          relays.visi.com : \
>>          sbl.spamhaus.org : \
>> deny  message  = Sender's domain is listed at $dnslist_domain

>
> This is not relevant to your open relay problem, but I don't think you
> intended the second 'deny'; it should look something vaguely like this:
>
> deny  message  = whatever
>       dnslists = blah : foo

>
> And, incidentally, for the lists that you've chosen, it's not the
> sender's
> domain that's listed, it's the sender's IP. You might want to revise
> your
> error message to avoid confusion.
>
> Tim
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> Exim details at http://www.exim.org/ ##
>
>
>

This PGP signature is signed to charford at infinithost.com. If you
have received this signature from a different email account please
email that account and a different key will be sent. Sorry for any
problems.

This electronic message transmission contains information that is
privileged, confidential or otherwise the exclusive property of the
intended recipient or the sender. This information is intended for the
use of the individual or entity that is the intended recipient. If you
are not the designated recipient, please be aware that any
dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this electronic transmission
in error, please notify us by electronic mail charford @
infinithost.com and promptly destroy the original transmission. Thank
you for your assistance.

-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Darwin)

iD8DBQE+SB09tf2vknGZ+KoRAjYwAJ9wV4u1u5DL+bgxpSJKS8pUZsi1BgCgiiVr
PYoFbxs3jZ5iENi61tu4pTw=
=c/U4
-----END PGP SIGNATURE-----