Re: [exim] Web account spoofing

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: Gururajan Ramachandran
CC: exim-users
Subject: Re: [exim] Web account spoofing
On Thu, 8 Sep 2005, Gururajan Ramachandran wrote:

> It appears somebody has figured out how to inject email into our queue
> via the web account.


Sounds like you have a vulnerable CGI script.

> However, I would like to put in a check to make sure at the exim4 side.
> I would like to put in a check to make sure that if the sender email
> address has our domain anywhere in it and the email originating
> machine's ip address is not in our local area network, then reject the
> email.


If the above is correct, this will not help at all.

The default Exim configuration file is not particularly easy to break in
such a way that Exim becomes an open relay, so I think you should leave
Exim alone and concentrate on your web site.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}