Re: [exim] exim exploit or configuration problem

Pàgina inicial
Delete this message
Reply to this message
Autor: W B Hacker
Data:  
A: exim users
Assumpte: Re: [exim] exim exploit or configuration problem
Bridgit Griffin (Withers) wrote:

> Hi,
>
> Recently, since late Jun, I have been seeing spam that appears to be
> sent from an email alias I have. However, closer inspection of the spam
> headers shows that someone connected into the smtp server (Exim ver
> 4.52) then sent it out using my alias.


*snip*

>
> Please note I do not have control over the smtp server, my hosting
> provider does.


Then they will have to (help) sort the problem.

> Also there are no email accounts associated with the
> domains.


By default, there will ordinarily be *at least* 'postmaster@' and may also be
'abuse', 'webmaster', and perhaps a 'catchall' if the provider is lazy.

Your 'alias' is also an 'email account' of sorts, even if it has no local mailstore.

> This has happened on 4 different domains that I have. Please
> see a sample of the header below.
>
> Thanks!
>
> Received: from [220.70.206.152] (port=4460 helo=67.19.170.34)
>     by mustang.websitewelcome.com with smtp (Exim 4.52)
>     id 1Fv3uo-0006yP-G2 for postmaster@???; Mon,
>  26 Jun 2006 22:07:03 -0500
> Date: Mon, 26 Jun 2006 23:07:10 -0400 (EDT)
> Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com
> From: postmaster@???
> Subject: Re: hi
> To: postmaster@???
> Message-id: <548bgr$18nuf4m@???>
> X-AntiAbuse: This header was added to track abuse,
>  please include it with any abuse report
> X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com
> X-AntiAbuse: Original Domain - colonichealth.net
> X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
> X-AntiAbuse: Sender Address Domain - colonichealth.net

>
>
> Received: from [60.179.219.85] (port=1166 helo=85.219.179.60.broad.nb.zj.dynamic.cndata.com)
>     by mustang.websitewelcome.com with smtp (Exim 4.52)
>     id 1FvZCG-000049-4X for postmaster@???; Wed, 28 Jun 2006 07:31:15 -0500
> Date: Wed, 28 Jun 2006 08:31:22 -0400 (EDT)
> Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com
> From: postmaster@???
> Subject: Something for your site..
> To: postmaster@???
> Message-id: <53079d$1gs0i10@???>
> X-AntiAbuse: This header was added to track abuse,
>  please include it with any abuse report
> X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com
> X-AntiAbuse: Original Domain - nceweb.com

>
>


If this sort of message is reaching only your own MUA via the postmaster or
catchall alias, then a local MUA filter is a quick, albeit temporary, fix.

If it is being relayed or creating collateral-spam bounces to the world at
large, then your provider needs to clean up his config, or you need a more
'aware' provider.

Note the mismatch in the sample you submitted between the actual connection-from
IP and the alleged source IP/domain. Properly configured Exim need not permit
that to come onto the box at all.

Help here is, of necessity, largely available/of value only to those who *DO*
control an MTA, and a current Exim one at that, not one a couple of years old.

HTH,

Bill