[Exim] exim MTA used as unauthed relay

Top Page
Delete this message
Reply to this message
Author: Chris Huff
Date:  
To: 'exim-users@exim.org'
Subject: [Exim] exim MTA used as unauthed relay
I thought i had a secure setup. I would see people try and relay off of me
all the time but all of the sudden i noticed my server was being used as a
relay for a spammer and Im quite pissed off and dissapointed. Im not sure
what i did wrong.

first this shows up

2003-03-27 22:46:20 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=master)
2003-03-27 22:46:20 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=master)
2003-03-27 22:46:20 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=master)
2003-03-27 22:46:20 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=master)
2003-03-27 22:46:20 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=master)
2003-03-27 22:46:20 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=webmaster)
2003-03-27 22:46:20 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=webmaster)
2003-03-27 22:46:20 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=web
2003-03-27 22:46:25 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=server)
2003-03-27 22:46:25 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=server)
2003-03-27 22:46:25 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=server)
2003-03-27 22:46:25 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=server)
2003-03-27 22:46:25 Authentication failed for (second) [218.25.142.197]: 535
Incorrect authentication data (set_id=server)

etc....

so, someone is trying to brute force past my auth setup. ok fine they dont
know my passwords.
then this...

2003-03-30 06:09:25 18zdUz-000FEx-00 <= test@??? H=(server28)
[66.139.77.28] P=asmtp A=fixed_login:server S=307
2003-03-30 06:09:27 18zdUz-000FEx-00 => user5@??? R=lookuphost
T=remote_smtp S=320 H=mail.989888.com [211.167.101.164]
2003-03-30 06:09:28 18zdUz-000FEx-00 Completed

he got one through!
A=fixed_login:server ????? i dont have a user named server? I only have two
users able to relay and neither are named server.

then the spamming starts, luckily I have my max connections etc set low, b/c
its my home mail server so not too many spams got out but 7000+ were on my
queue
Now, maybe i didnt do a good job converting my cfg file from exim 3 to 4 but
i think its ok, it stoped everyone i saw trying to relay for a LONG TIME,
and it stopped this guy for about a day as he tried to get in.
Heres the relevant parts of my cfg file. Im stumped.

WWW = xxxx
GATE = xxxx
CRAIG = xxxx
WORK = xxxx
LOCALHOST = xxxx

domainlist local_domains = xxx.ca:www.xxx.ca:xxx.com
hostlist relay_hosts = WWW:GATE:CRAIG:LOCALHOST
hostlist auth_relay_hosts = *
auth_advertise_hosts = *

fixed_login:
driver = plaintext
public_name = LOGIN
server_condition = "${if eq
{${lookup{$1}lsearch{/usr/local/exim/exim.passwd}{$value}}} {$2} {yes}
{no}}"
server_set_id = $1
server_prompts = "Username:: : Password::"

Sorry if this is not enough info or im rambling but any help would be
appreciated. For now im just going to change hostlist auth_relay_hosts = *
to equal specific hosts only but ill want to change this in the future.


thanks
--CH