Re: [exim] exim exploit or configuration problem

Top Page
Delete this message
Reply to this message
Author: Peter Bowyer
Date:  
To: Exim, Users
Subject: Re: [exim] exim exploit or configuration problem
On 10/07/06, Bridgit Griffin (Withers) <bridgit@???> wrote:
> Received: from [220.70.206.152] (port=4460 helo=67.19.170.34)
>        by mustang.websitewelcome.com with smtp (Exim 4.52)
>        id 1Fv3uo-0006yP-G2 for postmaster@???; Mon,
>  26 Jun 2006 22:07:03 -0500
> Date: Mon, 26 Jun 2006 23:07:10 -0400 (EDT)
> Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com
> From: postmaster@???
> Subject: Re: hi
> To: postmaster@???
> Message-id: <548bgr$18nuf4m@???>
> X-AntiAbuse: This header was added to track abuse,
>  please include it with any abuse report
> X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com
> X-AntiAbuse: Original Domain - colonichealth.net
> X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
> X-AntiAbuse: Sender Address Domain - colonichealth.net


Is 'colonichealth.net' your domain? If so, you're seeing very simple
forged-header spam. Your provider could soup up their exim config to
do extra checking before accepting incoming mail which forges its own
domains.

Note that this is spam forged as coming from you - but when the
spammer connects to the next victim, the spam will be forged as coming
from that victim - there's no evidence of using your provider's server
to relay spam in your name.

I don't know what box of tricks injects those X-AntiAbuse: headers, it
isn't vanilla Exim - but whatever it is, it looks like it's being
fooled by the forged spam. Have you spoken to the owner of the server?

Peter
--
Peter Bowyer
Email: peter@???