Re: [exim] Apache <=> Exim

Etusivu
Poista viesti
Vastaa
Lähettäjä: Phil Pennock
Päiväys:  
Vastaanottaja: Grant Peel
Kopio: exim-users, Jeroen van Aart
Aihe: Re: [exim] Apache <=> Exim
On 2008-07-30 at 18:22 -0700, Jeroen van Aart wrote:
> Grant Peel wrote:
> > I am thinking a script on one of my servers has a security hole in it. A few
> > days ago, the server started sending out huge amounts of spam. I am yet to
> > find the culprit.


Rate-limiting may help here, if you have a limit on "reasonable"
outbound mail volume per day.

> In such cases standard precautions apply, I would say. Since it is
> possible your server has been broken into. Check for any unknown
> processes running, do an ls -al /tmp/ /var/tmp and /dev/shm and see if
> you find any oddball files, such as /tmp/...
>
> It's very common for a compromised system to have an irc daemon running
> to control bots/botnets and to abuse the MTA to send out spam. Google is
> your friend at finding out what to do when your server might be broken into.


Having dealt with disabling user accounts at an ISP for this, I'll note
that it's much *much* more common for spammers to simply be scanning for
abusable scripts and abusing those, without actually attacking to be
able to run arbitrary code on the web-servers.

Formmail and friends are the main threat on the CGI side, whilst PHP
stuff, well, whatever PHP pre-packaged applications are popular enough
for someone interested to have gone reading through the code to find all
the problems. PHPNuke was amazingly bad in this regard.

With some applications, it gets rather hard to determine where the
actual hole is, buried in some library routine used in some module
embedded as a gadget in some page. We could block, sure, since we
rewrote the envelope-sender to be webmaster@domain for each domain
(mapping UID to domain based upon the account information) but having
more information to hand to customers is useful.

There's an Exim-users thread started by me on 2006-08-13, subject is
"Feature req: env var logging" and three notes came back:
* change sendmail_path to a wrapper script which logs (Stephen Gran)
* use embedded Perl to grab environment variables (Dave Evans)
* a patch to make environment variables visible in Exim conf (Eli)

Of course, I left my then-employer shortly thereafter as it was sold, so
never used any of these. :) I did appreciate the good feedback though.

> > I am thinking that I would like to temporarily disble apache's sending of
> > email (from FormMail scripts), until I can track down the offending script.
> >
> > Is there a way I can do it in Exim's configure?


Use an acl_not_smtp ACL to deny the message based upon invoker
($caller_uid).

If you have CGI scripts and a userid per website (eg, ISP hosting) then,
if you haven't already done so, do something like set up a CDB file
mapping UID to an email address which has to be the SMTP Envelope
Sender, outbound; use that to set "return_path" on the SMTP transport.
You can also consider setting things like X-Abuse: headers with your
abuse contact address and the web-site responsible.

-Phil