Hi,
soumya tr <soumya.324@???> (Mi 05 Feb 2014 10:49:57 CET):
> Hi,
>
> I am having issues, were in some customers account has been hacked, and
> malicious php scripts are added to sent out mails using socket creation
> method [ it is similar to sending out mails like telnet localhost 25 ]
>
> The respective logs:
>
> 2014-02-05 09:43:50 1WAz1K-001Zgy-HT H=localhost [127.0.0.1]:50015 Warning:
> "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT
> spam (-1.0)"
> 2014-02-05 09:43:50 1WAz1K-001Zgy-HT <= NYDBfjG@??? H=localhost
> [127.0.0.1]:50015 P=smtp S=825
> id=BrKKONI.WlwhspCjPQnK@???="=?utf-8?B?0JrQsNC6INC30LAg0LzQtdGB0Y/RhiDQt9Cw0YDQsNCx0L7RgtCw0YLRjCA4Nzk1JD8=?="
> for ladya-nn@???
>
> This is creating spamming issues, and blacklist of servers. If I disable
> port 25 connections to localhost, the mail functionality would be affceted
> [as cron mails are sent via localhost]. Is there any way I can handle this
> situation.
Cron mails are sent using /usr/sbin/sendmail, normally. Thus blocking
SMTP to 127.0.0.1 should not affect your cron mails.
You could try to install an identd and
use it's information:
---
rfc1413_hosts = 127.0.0.1
rfc1413_timeout = 10s
acl_smtp_connect = acl_check_smtp
begin acl
acl_check_smtp:
deny condition = ${lookup{$sender_ident}lsearch{/etc/exim/blocked-idents}{1}{0}}
---
An other idea: IPTables (if you're on Linux) has a 'owner' match
extension, thus you can block/accept connections depending on the owner
of the connection.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
gnupg fingerprint: 9288 F17D BBF9 9625 5ABC 285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B)-
