Re: [exim] exim exploit or configuration problem

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] exim exploit or configuration problem
Bridgit Griffin (Withers) wrote:
> Recently, since late Jun, I have been seeing spam that appears to be
> sent from an email alias I have. However, closer inspection of the spam
> headers shows that someone connected into the smtp server (Exim ver
> 4.52) then sent it out using my alias.
>
> My question is this an exploit or a configuration problem?
>
> My other question is there a way to shut this down? Or can I get enough
> info to bring to my hosting provider so they can fix whatever problem
> maybe on their side?
>
> Please note I do not have control over the smtp server, my hosting
> provider does. Also there are no email accounts associated with the
> domains. This has happened on 4 different domains that I have. Please
> see a sample of the header below.
>
> Thanks!
>
> Received: from [220.70.206.152] (port=4460 helo=67.19.170.34)
>     by mustang.websitewelcome.com with smtp (Exim 4.52)
>     id 1Fv3uo-0006yP-G2 for postmaster@???; Mon,


The mail is for you, as well as claiming to be from you.
If they were accepting mail claiming to be from you and
relaying it out-system I'd be more worried.

Unless they provide flexible filtering for individual customers,
there's not much they can do (barring things like SPF, which
I'm not in favour of, and DKIM which I'm not conviced is ready
for prime-time).

Does postmaster *ever* send any mail under that name? If not,
it's simple for you to configure any decent MUA to discard them.
A flexible-filter ESP would be able to reject them in the first place.

- Jeremy