[exim] Exim v4.72 - authenticating to server without having …

Top Page
Delete this message
Reply to this message
Author: Juergen Edner
Date:  
To: exim-users
Subject: [exim] Exim v4.72 - authenticating to server without having a valid account
Hello,
I need your help to shed some light on a strange Spam abuse of an
Exim server. I'm running a personal Exim server for years now
without any problems. Today I've checked the last couple of mainlog
files on the server and saw that something strange had happened at
night.
A user (name 'inna' or 'academia') was able to successfully authenticate
to the server and sent mail over it although this user hasn't been
set-up at all as a mail user. The same has happened on servers of some
my friends.
We checked the server configuration several times but weren't able to
find any error which would allow to send email over it. In all cases the
same login names have been used to authenticate email sending.

I hope someone is a able to explain to me how it is possible to send
email without even setting-up an account. Would it be possible that
the spammer has caused a kind of buffer-overflow by sending to many
nonmail commands to the server to abuse the system? Any help is highly
appreciated.

Some words about the Exim configuration:
- The only inbound tcp-port which has been opened for incoming
traffic from the Internet is 25/tcp (SMTP).

- The users which are allowed to send email have been configured by
adding them to a separate config file to make sure that different
mail passwords are used.

- Only authenticated users are allowed to send email over the Exim
server. This is checked and logged by the following acls:

  acl_check_rcpt:
    ...
    require verify         = sender


    accept  sender_domains = +my_sender_domains
            endpass
            message        = Only authenticated connections are allowed
            authenticated  = *
    ...


  acl_check_data:
    ...
    warn    set acl_m1  = 0


    # exiscan - check authentication
    warn    authenticated = *
            set acl_m1    = 1


    warn    logwrite      = authenticated ($acl_m1) / authenticated_id
($authenticated_id)
    ...


- The proper authentication is done by the following authenticator
which checks the mail accounts against the credentials saved in
a file in the format '<username> <password>'.

  fixed_cram:
    driver = cram_md5
    public_name = CRAM-MD5
    server_secret = "\
    ${if !eq{$1}{} \
      {${lookup{$1}lsearch{/etc/mail-users.pwd}{$value}}}fail}"
    server_set_id = $1


- This is the part of the mainlog file which shows how it has been
managed to abuse the mail server (I've stripped of the date and
time stamp and added some comments in square brackets):

...
fixed_cram authenticator failed for ns1.visto-web.com.br
(rjntjhylw.com) [200.198.71.194]: 535 Incorrect authentication data
[-> message repeated 5 times]
SMTP call from ns1.visto-web.com.br (rjntjhylw.com) [200.198.71.194]
dropped: too many nonmail commands (last was "AUTH")

fixed_cram authenticator failed for ns1.visto-web.com.br
(cvinxcdzu.com) [200.198.71.194]: 535 Incorrect authentication data
[-> message repeated 5 times.]

  [-> this loop runs further 32 times without success and all attempts
      are ending with a "too many nonmail commands" error.]


1OqZUj-0004Uk-6t authenticated (1) / authenticated_id (inna)
[-> the non-defined user 'inna' has successfully been authenticated?!]

1OqZUj-0004Uk-6t <= ehcwb@??? H=ns1.visto-web.com.br
(rlhuzmgf.com) [200.198.71.194] P=esmtpa A=fixed_cram:inna S=1518
id=d464645a21b541eb93dcec80fd678bfd@d98ce156960f4d0ba42576fce1457202
...
1OqZUj-0004Uk-6t Completed
[-> the user 'inna' has successfully sent an email!!]
...

Thank you in advance for your help!

Regards
Juergen
--
GPG Key available