Hello,
I need your help to shed some light on a strange Spam abuse of an
Exim server. I'm running a personal Exim server for years now
without any problems. Today I've checked the last couple of mainlog
files on the server and saw that something strange had happened at
night.
A user (name 'inna' or 'academia') was able to successfully authenticate
to the server and sent mail over it although this user hasn't been
set-up at all as a mail user. The same has happened on servers of some
my friends.
We checked the server configuration several times but weren't able to
find any error which would allow to send email over it. In all cases the
same login names have been used to authenticate email sending.
I hope someone is a able to explain to me how it is possible to send
email without even setting-up an account. Would it be possible that
the spammer has caused a kind of buffer-overflow by sending to many
nonmail commands to the server to abuse the system? Any help is highly
appreciated.
Some words about the Exim configuration:
- The only inbound tcp-port which has been opened for incoming
traffic from the Internet is 25/tcp (SMTP).
- The users which are allowed to send email have been configured by
adding them to a separate config file to make sure that different
mail passwords are used.
- Only authenticated users are allowed to send email over the Exim
server. This is checked and logged by the following acls:
acl_check_rcpt:
...
require verify = sender
accept sender_domains = +my_sender_domains
endpass
message = Only authenticated connections are allowed
authenticated = *
...
acl_check_data:
...
warn set acl_m1 = 0
# exiscan - check authentication
warn authenticated = *
set acl_m1 = 1
warn logwrite = authenticated ($acl_m1) / authenticated_id
($authenticated_id)
...
- The proper authentication is done by the following authenticator
which checks the mail accounts against the credentials saved in
a file in the format '<username> <password>'.
fixed_cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = "\
${if !eq{$1}{} \
{${lookup{$1}lsearch{/etc/mail-users.pwd}{$value}}}fail}"
server_set_id = $1
- This is the part of the mainlog file which shows how it has been
managed to abuse the mail server (I've stripped of the date and
time stamp and added some comments in square brackets):
...
fixed_cram authenticator failed for ns1.visto-web.com.br
(rjntjhylw.com) [200.198.71.194]: 535 Incorrect authentication data
[-> message repeated 5 times]
SMTP call from ns1.visto-web.com.br (rjntjhylw.com) [200.198.71.194]
dropped: too many nonmail commands (last was "AUTH")
fixed_cram authenticator failed for ns1.visto-web.com.br
(cvinxcdzu.com) [200.198.71.194]: 535 Incorrect authentication data
[-> message repeated 5 times.]
[-> this loop runs further 32 times without success and all attempts
are ending with a "too many nonmail commands" error.]
1OqZUj-0004Uk-6t authenticated (1) / authenticated_id (inna)
[-> the non-defined user 'inna' has successfully been authenticated?!]
1OqZUj-0004Uk-6t <= ehcwb@??? H=ns1.visto-web.com.br
(rlhuzmgf.com) [200.198.71.194] P=esmtpa A=fixed_cram:inna S=1518
id=d464645a21b541eb93dcec80fd678bfd@d98ce156960f4d0ba42576fce1457202
...
1OqZUj-0004Uk-6t Completed
[-> the user 'inna' has successfully sent an email!!]
...
Thank you in advance for your help!
Regards
Juergen
--
GPG Key available
