Re: [exim] Am I Hacked?

Top Page
Delete this message
Reply to this message
Author: Rick Lutowski
Date:  
To: W B Hacker
CC: exim users
Subject: Re: [exim] Am I Hacked?
W B Hacker wrote:
> Rick Lutowski wrote:
>
>>I've been using exim on debian 'out of the box' for years with
>>no apparent problems. Recently I've been getting indications
>>my server's exim has been compromised and is sending out spam
>>without my knowledge.
>
>
> 'indications' such as?


Two things:

1. The destinations list in the activity report.
I assume that these are domains my server sent mail to.
If so, they are not domains I myself sent mail to.
Hence, the system is being hacked, i.e., someone or
something is sending mail beside me. If this is not
the correct interpretation of the destinations list
in the activity report, then this is a red herring
and I am worrying about nothing.

2. Here is the reason that really raised the red flag,
and caused me to start running the daily activity reports:
A message I really did send bounced as follows --

--
This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

   <username>@mchsi.com
     SMTP error from remote mailer after MAIL FROM:<rick@???> SIZE=163488:
     host gateway.mchsi.com [204.127.203.150]: 550-65.68.229.225 blocked by 
ldap:ou=rblmx,dc=mso,dc=att,dc=net
     550 Blocked for abuse. Please contact the administrator of your ISP or 
sending mailservice.
--


The "Blocked for abuse" reason makes me think my system has
been blacklisted by mchsi.com. I have never received a
bounce like this before. Maybe my system is spamming and
mchsi.com is the first to blacklist me. Or maybe mchsi.com
blacklists everyone until the user adds your domain to a
whitelist. If the latter, I have no problem. I contacted
the user but they did not seem to be aware of any need to
add me to a whitelist.

The third possiblity is that this is a bogus bounce message.
This is definitely not the case. This is a real bounce message
from an attempt to send mail that did not get through. It is
a real problem. Am just not sure if the source of the problem
is my exim server sending spam and getting blacklisted, or the
mchsi.com server acting paranoid as a matter of course.


>
>
> First, you need to confirm that you actually *have* a problem.



Absolutely agree.


> The report submitted does not make that clear.
>
> Are you getting bounces or rejections from legitimate hosts? Being blacklisted?
> Getting complaints of other kinds?


See above.
Any comments on the bounce msg?

--
Rick Lutowski, GRI, REALTOR
Greg Doering & Associates
Keller Williams Realty
rick@???
512-461-1456
I Reward Referrals