Author: Eduardo M KALINOWSKI Date: To: exim-users Subject: Re: [exim] Please help determine how spam is being sent from my
server
George escreveu: > Hi,
>
> I am running FC4 with Exim 4.68
>
> Someone is sending spam from my server and I can't find how he is doing this.
>
> [snip]
>
> What I know is that he does this by somehow connecting to port 25 from
> localhost and feeding the data to exim. When he sends spam, all I see
> in the exim_mainlog is:
> 2008-11-22 03:04:03 SMTP connection from [127.0.0.1]:60739
> I=[127.0.0.1]:25 (TCP/IP connection count = 5)
> 2008-11-22 03:04:03 H=localhost (hostname.com) [127.0.0.1]:60739
> I=[127.0.0.1]:25 Warning: Sender rate 12.0 / 1h
> 2008-11-22 03:04:03 H=localhost (hostname.com) [127.0.0.1]:60739
> I=[127.0.0.1]:25 sender verify fail for <Pharmacy-shop@???>
>
> [snip]
> I have too many domains on the server so I can't search through the
> logs and compare times.
>
You may need to. Grep is your friend. > Can someone please tell me how I can determine how he is sending the spam?
>
Spam is sent from a local process, that telnets to localhost. Mail
generated locally generally can be relayed anywhere, so this bypasses
anti-relay ACLs.
Search your ps output for processes that look suspicious. The port used
by the process is listed in the logs, you can use the netstat program to
see more easily which process is using that port. In case the whole
operation is too fast, configure exim to add delays to the SMTP
transaction so you can have time to run a netstat.
Do your users have shell access? Because if not, your system was
probably invaded, and that's not good.