Re: [exim] Dealing with clever spammers - how do I?

Top Page
Delete this message
Reply to this message
Author: Odhiambo G. Washington
Date:  
To: exim-users
Subject: Re: [exim] Dealing with clever spammers - how do I?
* On 16/06/06 12:44 +0100, Chris Lightfoot wrote:
| On Fri, Jun 16, 2006 at 01:24:25PM +0300, Odhiambo G. Washington wrote:
| >
| > Hi,
| >
| > PS: This is a bit OT, but there is an Exim bit.
| >
| >
| > I have a server that I use for hosting websites. I simply give ftp
| > access and the customer just uploads their web content. The problem
| > comes in the name of some code used in these websites - they allow
| > http-put and http-post by spammers.
| >
| > Information about my blacklisted server is here:
| >
| > http://dsbl.org/listing?62.8.64.6
| >
| > Now, since I am running Exim on this server, is there a way to take
| > care of (prevent the spamming) such a situation within Exim itself?
| >
| > So far, this server is almost permanently blacklisted.
| >
| > I'd appreciate if anyone knows a better way to audit the web data
| > content stored on the server, even ;)
|
| hang on, the claim in the above link is that your server
| is an open web proxy, not that there's a specific script
| on it that's exploitable (though of course there may be
| one of those too).


Sure. Only that at the back of my mind, I also thought of
the presence of one of those insecure scripts found on the
web and used without any due consideration by web designers.
Well, security is not a priority for the ones who are just
starting...

| I'm a bit surprised by that because your server (a)
| appears to be apache; but (b) doesn't list mod_proxy in
| the Server: header. It also doesn't appear to permit the
| types of exploits that the above link talks about:
|
| : chris@sphinx ~/sof*/mythic-u* \$; telnet 62.8.64.6 80
| Trying 62.8.64.6...
| Connected to 62.8.64.6.
| Escape character is '^]'.
| POST http://sphinx.mythic-beasts.com:25/ HTTP/1.0
| Host: sphinx.mythic-beasts.com
| Content-Length: 112
|
| HELO fish
| MAIL FROM: <chris@???>
| RCPT TO: <chris@???>
| DATA
| Fish soup is good for you
| ..
| QUIT
| HTTP/1.1 404 Not Found
| Date: Fri, 16 Jun 2006 11:38:55 GMT
| Server: Apache/1.3.33 (Darwin) mod_jk/1.2.4 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7i PHP/4.3.11 mod_perl/1.26
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
|
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <HTML><HEAD>
| <TITLE>404 Not Found</TITLE>
| </HEAD><BODY>
| <H1>Not Found</H1>
| The requested URL / was not found on this server.<P>
| <HR>
| <ADDRESS>Apache/1.3.33 Server at sphinx.mythic-beasts.com Port 25</ADDRESS>
| </BODY></HTML>
|
| -- the results there indicate that it's just accepting
| HTTP requests for any hostname and returning a `not found'
| result (I guess you use the apache mass hosting mode?).


Yes. One IP, several name virtual hosts.


| I see from the blacklist page above that the emails which
| were passed through the machine were sent almost a year
| ago; perhaps the configuration of the machine has been
| changed to fix this problem since then?


Somewhere in between I took the management of the server
and disabled the default MTA it comes with (Postfix) and
instead deployed Exim. The reason was simply my allergy
to any other MTA ;)

| In any case I don't understand why the removal request
| hasn't been processed, though of course the operators of
| the blacklist are permitted to put whatever information
| they want into it, whether or not it's correct (module
| local law on defamation etc.). If they continue to be
| intransigent, forward mail via a second IP address and
| chalk this one up to the general idiocy of people trying
| to do spam filtering on IP address only.


Sure advise. I will resort to your advise as the "conclusive"
one to use. I also haven't understood why they have failed
to process the removal.
Now that you've tested and confirmed theirs is untrue, I'll
simply look for a different IP address and use that as the
outgoing.

Thank you do much for your time.



        cheers
       - wash 
+----------------------------------+-----------------------------------------+
Odhiambo Washington                    . WANANCHI ONLINE LTD (Nairobi, KE)  |
wash () WANANCHI ! com            . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223            . # 10286, 00100 NAIROBI             |
GSM: (+254) 733 744 121            . (+254) 020 313 985 - 9             |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"  
                         --from a /. post