Re: [exim] what is log part ? attack ?

Pàgina inicial
Delete this message
Reply to this message
Autor: Graeme Fowler
Data:  
A: exim-users
Assumpte: Re: [exim] what is log part ? attack ?
Hi

On 10 Oct 2015, at 12:41, Sławomir Dworaczek <slawek@???> wrote:
> This is the same PID, look
>
> 2015-10-10 13:27:20 [26891] no IP address found for host smarthost.win.pl (during SMTP connection from mx2.wp.pl [212.77.101.7])
> 2015-10-10 13:27:20 [26891] 1ZksJ6-0006zj-PI DKIM: d=wp.pl s=1024a c=relaxed/relaxed a=rsa-sha256 t=1444476439 [verification succeeded] 2

<snip>

Firstly: please subscribe to the mailing list; your posts keep being held for moderation as you aren't a subscriber.

Secondly, *something* in your configuration is causing this.

You can diagnose it by running a debug session, hand-creating an SMTP transaction as in the following example (which, if you subscribed and searched the archives, you'd find an example of), changing the addresses which you redacted in your original email.

Open an editor, paste the following in and save it as newfile.txt:

# ===START OF SCRIPT===
(
 sleep 1
 echo 'EHLO mx-out.facebook.com'
 sleep 1
 echo 'MAIL FROM:<notification+kjdm75-dp3-m@???>'
 sleep 1
 echo 'RCPT TO:<myuser@???>'
 sleep 1
 echo 'DATA'
 sleep 1
 cat <<EOF
Received: from 127.0.0.1 (HELO localhost) 
(notification+kjdm75-dp3-m@???)
        by 66.220.155.136 with ESMTPA; Mon, 12 Oct 2015 14:12:34 +0200
From: notification+kjdm75-dp3-m@???
To: myuser@???
Date: Mon, 12 Oct 2015 14:12:34 +0200
Subject: Notification


[Some stuff purporting to be from Facebook!]
.
EOF

sleep 5
echo 'QUIT') | exim -d -bh 66.220.155.136 2>&1 | less

#=== END OF SCRIPT ===

Then run that (as root or other trusted user, in Exim terms):

sh newfile.txt

That'll show you where your validation statement is, and where it's getting the errant hostname from.

Graeme