Author: Peter Bowyer Date: To: exim users Subject: Re: [exim] e-mail problems on linux using exim
On 05/06/06, altendew <andrew@???> wrote: >
> I have posted here before but seams to me that I was not clear enough about
> the situation and what the problem is.
> Our server gets bombarded with email and we think some of this emails
> contain some sort of encripted scripts which get executed by the server.
Exim will only do this if you've told it to. 'Encrypted scripts' don't
sound very likely.
> We will receive random generated e-mail for example with the adress
> 3732328727432.8942847284@??? , then this email gets converted into
> several messages with different recipients adresess which gets send out on
> relay fashion.
We went through the 'relay' business at length with you before, the
log entries you posted showed emails being delivered to local users on
your server, no evidence of any relaying. Do you have log entries to
support the relaying assertion, or the 'converted into several
messages' assertion?
If you're receiving messages for non-existant users at your domain,
that's easy to fix with ACLs so you reject them at SMTP time. Just
about every MTA on the planet suffers from this, and although you
can't make the delivery attempts go away, you can stop them using up
your resources.
> those numbers are automaticaly generated so we cannot deny
> service to any header containing that e-maill adress, every single one of
> them is unique.
Headers are almost certainly a red herring, we're talking about
envelope recipients, I presume? Again, you can deny non-existant
recipients in an ACL.
> The contet of the email is totaly gibrish to us, is all
> encoded.
And is almost certainly completely irrelevant.
> we know because when we watch the queue we see the above message
> beeing received and then several other messages get added after it. If we
> wait and try to open the original message gets automaticaly deleted,
> probably by the script it contains.
I'd blame black magic for that. Seriously, this is very unlikley. Post
the log entries relating to these misbehaving messages.
> the more interesting thing is that on content say IMAGE, is no image and no
> attachements to the original message, just some code, some of the code are
> pairs of caracters on the HEXADECIMAL code numbers 1 to 0 and leter A to F,
> some have true binary code listed in them all 1 and 0's and some have just
> random caracters probably encripted...problem is that when i try to read
> some of this emails i got instantly warned about some sort of virus atacking
> my computer, so i asume that what ever is in those emails gets executed in
> my browser when i access for example the mail que manager in webhost at root
> level.
I don't think you have a very good handle on what a virus can and
can't do, and what the risk profile is of opening an attachment on
your PC.
> On our receiving end we get thousands of emails rejected by other servers
> either for spam or virus content.
Are you sure these are not backscatter NDRs from spam forged with your
domain as sender? Do you know that your server actually sent the
messages which are being returned to you? Again, log entries and
headers needed to make the assessment.
> To understand the situation fully, is like having a DDoS attack, brings our
> server to a stand still and all our aplications are colapsing, we get
> continuous warning messages for exim fail, pop fail and imap fail, it is
> getting so dificult that we are not even able to login on the root to see
> what is going on, this problem started about 2 months ago, and seams that
> everything we try is futile. we cannot stop this.
> We apreciate any help and directions on this matter from any one which can
> help us.