Re: [exim] Disbaling mails being sent via localhost

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Disbaling mails being sent via localhost
Hi,

soumya tr <soumya.324@???> (Mi 05 Feb 2014 10:49:57 CET):
> Hi,
>
> I am having issues, were in some customers account has been hacked, and
> malicious php scripts are added to sent out mails using socket creation
> method [ it is similar to sending out mails like telnet localhost 25 ]
>
> The respective logs:
>
> 2014-02-05 09:43:50 1WAz1K-001Zgy-HT H=localhost [127.0.0.1]:50015 Warning:
> "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT
> spam (-1.0)"
> 2014-02-05 09:43:50 1WAz1K-001Zgy-HT <= NYDBfjG@??? H=localhost
> [127.0.0.1]:50015 P=smtp S=825
> id=BrKKONI.WlwhspCjPQnK@???="=?utf-8?B?0JrQsNC6INC30LAg0LzQtdGB0Y/RhiDQt9Cw0YDQsNCx0L7RgtCw0YLRjCA4Nzk1JD8=?="
> for ladya-nn@???
>
> This is creating spamming issues, and blacklist of servers. If I disable
> port 25 connections to localhost, the mail functionality would be affceted
> [as cron mails are sent via localhost]. Is there any way I can handle this
> situation.


Cron mails are sent using /usr/sbin/sendmail, normally. Thus blocking
SMTP to 127.0.0.1 should not affect your cron mails.

You could try  to install an identd and
use it's information:
---
    rfc1413_hosts = 127.0.0.1
    rfc1413_timeout = 10s


    acl_smtp_connect = acl_check_smtp


    begin acl


        acl_check_smtp:


            deny    condition = ${lookup{$sender_ident}lsearch{/etc/exim/blocked-idents}{1}{0}}
---


An other idea: IPTables (if you're on Linux) has a 'owner' match
extension, thus you can block/accept connections depending on the owner
of the connection.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-