Re: [exim] exim exploit or configuration problem

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: bridgit, exim-users
Subject: Re: [exim] exim exploit or configuration problem


--On 9 July 2006 20:32:03 -0400 "Bridgit Griffin (Withers)"
<bridgit@???> wrote:

> Hi,
>
> Recently, since late Jun, I have been seeing spam that appears to be
> sent from an email alias I have. However, closer inspection of the spam
> headers shows that someone connected into the smtp server (Exim ver
> 4.52) then sent it out using my alias.
>
> My question is this an exploit or a configuration problem?


I think you mean "is this a vulnerability or a configuration problem"? An
vulnerability is not an exploit, merely an opportunity that could be
exploited for nefarious means.

In fact, this is a design flaw in the way Internet email works. It's quite
complex, but there are ways of configuring Exim to work within the design
but minimise the flaw. For example, it would be possible to configure the
server such that it will only accept email from your domain when you are
logged in to the server with a secure password. However, that will produce
side effects that might not be acceptable to you, which is why it is not
done by default.

> My other question is there a way to shut this down? Or can I get enough
> info to bring to my hosting provider so they can fix whatever problem
> maybe on their side?


You could ask them to require authenticated SMTP for email purporting to be
from your domains. However, you'll need to be sure that your MUA is
configured to support that - and similarly for any other people sending
email from those domains. You also need to be aware that this could break
your membership of some mailing lists (you might not see emails that you've
sent to the list).

Furthermore, you need to decide whether you want the Message Headers
inspected, as well as the envelope (which you can't see here). It's
entirely possible that the sender address given in the envelope isn't the
address in the "From:" header.

> Please note I do not have control over the smtp server, my hosting
> provider does. Also there are no email accounts associated with the
> domains. This has happened on 4 different domains that I have. Please
> see a sample of the header below.
>
> Thanks!
>
> Received: from [220.70.206.152] (port=4460 helo=67.19.170.34)
>     by mustang.websitewelcome.com with smtp (Exim 4.52)
>     id 1Fv3uo-0006yP-G2 for postmaster@???; Mon,
>  26 Jun 2006 22:07:03 -0500
> Date: Mon, 26 Jun 2006 23:07:10 -0400 (EDT)
> Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com
> From: postmaster@???
> Subject: Re: hi
> To: postmaster@???
> Message-id: <548bgr$18nuf4m@???>
> X-AntiAbuse: This header was added to track abuse,
>  please include it with any abuse report
> X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com
> X-AntiAbuse: Original Domain - colonichealth.net
> X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
> X-AntiAbuse: Sender Address Domain - colonichealth.net

>
>
> Received: from [60.179.219.85] (port=1166
> helo=85.219.179.60.broad.nb.zj.dynamic.cndata.com)     by
> mustang.websitewelcome.com with smtp (Exim 4.52)
>     id 1FvZCG-000049-4X for postmaster@???; Wed, 28 Jun 2006 07:31:15
> -0500 Date: Wed, 28 Jun 2006 08:31:22 -0400 (EDT)
> Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com
> From: postmaster@???
> Subject: Something for your site..
> To: postmaster@???
> Message-id: <53079d$1gs0i10@???>
> X-AntiAbuse: This header was added to track abuse,
>  please include it with any abuse report
> X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com
> X-AntiAbuse: Original Domain - nceweb.com




--
Ian Eiloart
IT Services, University of Sussex