Re: [exim] Open relay?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPhil Pennock at <-
MJeremy Harris at ->
Delete this message
Reply to this message
Author: Ralph Ballier
Date:  
To: exim-users exim.org
New-Topics: [exim] How to catch stolen passwords and outgoing spam
Subject: Re: [exim] Open relay?
Yesterday I had a new spammer break in, but now there was entries in the mainlog in the form

A=login:anonymous

In this way I found an entry in LDAP with password anonymous . Then I deleted this entry and hope that spam has finished.

But we have some hundred user. What can I do against such abuse, if somebody loose username and password? Is it possible to limit the number of mails from one unser per minute or so?

Ralph

----------------ursprüngliche Nachricht-----------------
Von: "Ralph Ballier" ralph.ballier@???
An: "exim-users exim.org" exim-users@???
Datum: Wed, 15 Feb 2012 06:34:57 +0100
-------------------------------------------------


> I have inserted the line
>
> server_set_id = $auth1
>
> in configure and now it works. I can see the username
>
> A=login:<username>
>
> But now I have no spammer :-))
>
> ----------------ursprüngliche Nachricht-----------------
> Von: "Todd Lyons" tlyons@???
> An: "Ralph Ballier" ralph.ballier@???
> Kopie: "exim-users exim.org" exim-users@???
> Datum: Tue, 14 Feb 2012 13:51:32 -0800
> -------------------------------------------------
>
>
>> On Tue, Feb 14, 2012 at 1:22 PM, Ralph Ballier
>> ralph.ballier@??? wrote:
>>>
>>> I found this lines in mainlog:
>>>
>>> 2012-02-13 16:25:53 1Rwxmr-0003tG-09 <= havicker@??? H=(User) [4.79.231.188] P=esmtpa A=login S=1695
>>> I think, this is relaying.
>>> There is the string A=login
>>> Do you mean, this is the user name? But I mean, we have not a user named "login".
>>
>> Below is what my logs look like when a user authenticates. Notice how
>> the username they authenticated with is part of the A=login: string.
>>
>> 2012-02-14 04:30:47 1RxA2N-0003kh-WD <= matt@???
>> H=c-66-41-183-88.hsd1.mn.comcast.net (OwnerPC) [66.41.183.88] P=esmtpa
>> A=login:matt@??? S=4046
>> id=2406A9DA978B495387CD35DA5E43D270@OwnerPC
>>
>> It kinda sounds like you have a bug in your authentication
>> configuration in that it allows the smtp auth to complete without a
>> username. Please post your authenticator section, specifically the
>> "login" authenticator.
>>
>> ...Todd
>> --
>> SOPA: Any attempt to [use legal means to] reverse technological
>> advances is doomed. --Leo Leporte
>>
>>
>>
>
> --
> Systemsignatur
>

--
Systemsignatur



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] control flow in ACLsRe: [exim] control flow in ACLs->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)