Re: [exim] Exim server maillog are flood by spam attemps?

Góra strony
Delete this message
Reply to this message
Autor: kuncho pencho
Data:  
Dla: exim-users
Temat: Re: [exim] Exim server maillog are flood by spam attemps?
Hi,

Do you check for compromissed account? Who is faisal.alazemi@??? ?

Best Regards.








>-------- Оригинално писмо --------


>От: Flan AlFlani solo9300@???


>Относно: Re: [exim] Exim server maillog are flood by spam attemps?


>До: kuncho pencho


>Изпратено на: 13.07.2016 16:20





.abv-omExternalClass .EmailQuote { margin-left: 1.0pt; padding-left: 4.0pt; border-left: #800000 2.0px solid; }


.abv-omExternalClass p { margin-top: 0; margin-bottom: 0; }





     hide mysql_servers = localhost/AlDimnaEmailSystem/exim/IChangeThePassword



     addresslist 
noautoreply_senders = /etc/mail.d/exim.d/conf.d/01-autoreply.noanswer.list




     SPAM_FILESIZE_LIMIT = 1M



     VIRUS_FILESIZE_LIMIT = 32M



     MYSQL_LOG=INSERT INTO `spamlog` ( `ID`, `MessageID`, `SenderIP`, `SenderPort`, `SenderHostname`, `SenderHelo`, `SenderAddress`, `RecipientAddress`, `Username`, `Domain`, `LoadAverage`, `SpamScore`, `MessageSize`, `BodySize`, `MessageLines`, `BodyLines`, `ReceivedHeaders`, `ReceivedProtocol`, `Cipher`, `Authenticated`, `SenderVerify`, `Age`, `TimeStamp`) \



       VALUES( '${quote_mysql:$message_exim_id}', \



       '${quote_mysql:$header_Message-ID:}', \



       '${quote_mysql:$sender_host_address}', \



       '${quote_mysql:$sender_host_port}', \



       '${quote_mysql:$sender_host_name}', \



       '${quote_mysql:$sender_helo_name}', \



       '${quote_mysql:$sender_address}', \



       CONCAT('${quote_mysql:$original_local_part}','@','${quote_mysql:$original_domain}'), \



       '${quote_mysql:$local_part}', '${quote_mysql:$domain}', \



       '${quote_mysql:$load_average}/1000', \



       '${quote_mysql:$header_X-Spam-Score:}', \



       '${quote_mysql:$message_size}', \



       '${quote_mysql:$message_body_size}', \



       '${quote_mysql:$message_linecount}', \



       '${quote_mysql:$body_linecount}', \



       '${quote_mysql:$received_count}', \



       '${quote_mysql:$received_protocol}', \



       '${quote_mysql:$tls_cipher}', \



       '${quote_mysql:$authenticated_id}', \



       '${quote_mysql:$header_X-Sender-Verify:}', \



       '${quote_mysql:$message_age}', \



       NOW() )



     CHECK_MAIL_HELO_ISSUED = 1



     primary_hostname = smtp.aldimna.com



     smtp_active_hostname = ${if eq{$interface_address}{46.102.240.223}\





{aldimna.com}{smtp.aldimna.com}}


     domainlist local_domains = ${lookup mysql {\



       SELECT domain FROM user WHERE domain='${quote_mysql:$domain}' \



       UNION \



       SELECT domain FROM alias WHERE domain='${quote_mysql:$domain}' \



       UNION \



       SELECT domain FROM catchall WHERE domain='${quote_mysql:$domain}'\



       }}



     domainlist 
       relay_to_domains =




     hostlist 
       relay_from_hosts =



     hostlist spf_white_hosts = \



       aldimna.com : \



       smtp.aldimna.com



     domainlist blocked_domains = lsearch;/etc/mail.d/exim.d/conf.d/disabled-domains.list




percent_hack_domains = *


     acl_smtp_rcpt
         = acl_check_rcpt



     acl_smtp_helo
         = acl_check_helo



     acl_smtp_mail
         = acl_check_mail



     acl_smtp_mime
         = acl_check_mime



     acl_smtp_data
         = acl_check_content



     av_scanner = clamd:/var/lib/clamav/clamd.sock



     spamd_address = /var/run/spamassassin/spamd.sock



     tls_advertise_hosts = *



     tls_certificate = /etc/ssl/certs/AlDimna-smtp-Certificate.pem



     tls_privatekey = /etc/ssl/certs/AlDimna-smtp-Certificate.pem



     daemon_smtp_ports = 25 : 465



     tls_on_connect_ports = 465



     qualify_domain = aldimna.com



     never_users = root



     host_lookup
        = !10.0.1.0/24 : *



     rfc1413_hosts = *



     rfc1413_query_timeout = 5s



     ignore_bounce_errors_after = 2d



     timeout_frozen_after = 7d



     dsn_from = AlDimna Mail Delivery System  



     smtp_enforce_sync = false



     untrusted_set_sender = *



     local_sender_retain = true



     local_from_check = false



     timezone = EST



     log_selector = +address_rewrite \



       +all_parents \



       +arguments \



       +connection_reject \



       +delay_delivery \



       +delivery_size \



       +dnslist_defer \



       +incoming_interface \



       +incoming_port \



       +lost_incoming_connection \



       +queue_run +received_sender \



       +received_recipients \



       +retry_defer \



       +sender_on_delivery \



       +size_reject \



       +skip_delivery \



       +smtp_confirmation \



       +smtp_connection \



       +smtp_protocol_error \



       +smtp_syntax_error \



       +subject \



       +tls_cipher \



       +tls_peerdn \



       +all



     message_size_limit = 500M



     begin acl



     acl_check_helo:



       deny
        message
        = HELO/EHLO with AlDimna ip address. 
1- You are not me.



       log_message
        = HELO/EHLO with AlDimna ip address deny



       condition
        = ${if match {$sender_helo_name}{46.102.240.223} {yes}{no}}



       deny
        message
        = HELO/EHLO with AlDimna domain name. 
2- You are not me.



       log_message
        = HELO/EHLO AlDimna domain deny



       condition
        = ${if match {$sender_helo_name}{smtp.aldimna.com} {yes}{no}}



       deny
        message
        = Fine, then the mail I accept is also none



       log_message
        = HELO/EHLO none deny



       condition
        = ${if match {$sender_helo_name}{none} {yes}{no}}



       deny
        message
        = You are hardly local, fool



       log_message
        = HELO/EHLO localhost deny



       condition
        = ${if match {$sender_helo_name}{localhost} {yes}{no}}



       deny
        message
        = Invalid HELO. 
You must be spam or a virus, or your system administrator is an idiot.



       !hosts 





= +relay_from_hosts


       log_message
        = HELO/EHLO Invalid deny



       condition
        = ${if match{$sender_helo_name}{\\.}{no}{yes}}



       accept



     acl_check_mail:



       deny
        message
        = \nIf you see this message then you no longer have an account with us.\nPlease if you require a backup for you account email us at admin@???.\n



       log_message
        = from blocked senders list



       senders
        = /etc/mail.d/exim.d/conf.d/disabled-senders.list



       deny
        message
        = You're from Mailinator, go away



       log_message
        = Mailinator mail



       senders
        = *@mailinator.com



       deny
        message
        = You are a major spammer, go away



       log_message
        = Pookmail mail



       senders
        = *@pookmail.com



       deny
        message
        = You are a major spammer, go away



       log_message
        = Russian sex spam



       senders
        = *@mail.ru



       deny
        message
        = \nIf you see this message then you no longer have an account with us.\nPlease if you require a backup for you account email us at admin@???.\n



       log_message
        = from blocked emails list



       senders
        = /etc/mail.d/exim.d/conf.d/disabled-emails.list



       accept



     acl_check_rcpt:



       accept
        hosts
        = :



       deny 
        message 




= Sender claims to have a local address, but is neither authenticated nor relayed (try using SMTP-AUTH!)


       log_message 


= Forged Sender address (claims to be local user [${sender_address}], but isn't authenticated)


       !hosts 





= +relay_from_hosts


       !authenticated 
= *



       condition 



= ${if match_domain{$sender_address_domain}{+local_domains}}


       warn 


        message 




= You cannot be localhost.localdomain in the internet


       log_message 


= HELO is faked as localhost.localdomain


       condition 



= ${if match{$sender_helo_name}{\Nlocalhost\.localdomain\N}}


       warn 


        message 




= X-Invalid-HELO: HELO is IP only (See RFC2821 4.1.3)


       log_message 


= HELO ($sender_helo_name) is IP only (See RFC2821 4.1.3)


       condition 



= ${if isip{$sender_helo_name}}


       warn 


        message 




= X-Invalid-HELO: HELO is no FQDN (contains no dot) (See RFC2821 4.1.1.1)


       log_message 


= HELO ($sender_helo_name) is no FQDN (contains no dot) (See RFC2821 4.1.1.1)


       condition 



= ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}


       condition 



= ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}


       warn 


        message 




= X-Invalid-HELO: HELO is no FQDN (ends in dot) (See RFC2821 4.1.1.1)


       log_message 


= HELO ($sender_helo_name) is no FQDN (ends in dot) (See RFC2821 4.1.1.1)


       condition 



= ${if match{$sender_helo_name}{\N\.$\N}}


       warn 


        message 




= X-Invalid-HELO: HELO is no FQDN (contains double dot) (See RFC2821 4.1.1.1)


       log_message 


= HELO ($sender_helo_name) is no FQDN (contains double dot) (See RFC2821 4.1.1.1)


       condition 



= ${if match{$sender_helo_name}{\N\.\.\N}}


       warn 


        message 




= X-Invalid-HELO: Host impersonating [$primary_hostname]


       log_message 


= HELO ($sender_helo_name) impersonating [$primary_hostname]


       condition 



= ${if match{$sender_helo_name}{$primary_hostname}{yes}{no}}


       warn 


        message 




= X-Invalid-HELO: $interface_address is _my_ address


       log_message 


= HELO ($sender_helo_name) uses _my_ address ($interface_address)


       condition 



= ${if or{{\


       eq{[$interface_address]}{$sender_helo_name}\



       }{\ 





       eq{$interface_address}{$sender_helo_name}\



       }}}



       warn 


        message 





         = X-Invalid-HELO: no HELO




       log_message 


= no HELO ($sender_helo_name)


       condition 



= ${if !def:sender_helo_name}


       deny 


message



       = Restricted characters in address



       domains 




        = +local_domains



       local_parts 


        = ^[.] : ^.*[@%!/|]



       deny 


message



       = Restricted characters in address



       domains 




        = !+local_domains



       local_parts 


        = ^[./|] : ^.*[@%!] : ^.*/\\.\\./



       accept
        local_parts 


       = postmaster



       domains 




        = +local_domains



       accept
        local_parts 


       = info : marketing : sales : support : \



       abuse : noc : security : postmaster : \



       hostmaster : usenet : news : webmaster : \



       www : uucp : ftp



       domains 




        = +local_domains



       require
        verify 





         = sender



       warn
        message
        = X-Sender-Verify: FAILED ($sender_verify_failure)



       log_message
        = Sender ($sender_address) could not be verified using callout: $acl_verify_message ($sender_verify_failure)



       !verify
        = sender/callout=10s,random



       warn
        message
        = X-Sender-Verify: SUCCEEDED (sender exists & accepts mail)



       verify
        = sender/callout=10s,random



       accept 
hosts 





       = +relay_from_hosts



       control 




        = submission



       control 




        = dkim_disable_verify



       accept 
authenticated
        = *



       control 




        = submission/sender_retain/domain=



       require message 
       = relay not permitted



       domains 
        = +local_domains : +relay_to_domains



       require
        verify 
       = recipient



       accept
        domains
        = +local_domains



       endpass



       verify
        = recipient



       accept
        domains
        = +relay_to_domains



       endpass



       verify
        = recipient



       accept
        hosts
        = +relay_from_hosts



       accept
        authenticated
         = *



       deny
        message
        = relay not permitted





accept
hosts



= +relay_from_hosts




accept
authenticated = *




require message = relay not permitted






domains = +local_domains : +relay_to_domains


     acl_check_mime:



       warn
        decode
        = default



       deny
        message
        = Blacklisted file extension detected



       condition
        = ${if match \
















        {${lc:$mime_filename}} \
















        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|\.vbs)$\N} \















        {1}{0}}



       accept



     acl_check_content:



       deny
        message
        = This message contains malware ($malware_name)



       malware
        = *



       warn
        message
        = X-Spam-Score: $spam_score ($spam_bar)



       spam
        = nobody:true



       warn
        message
        = X-Spam-Report: $spam_report



       spam
        = nobody:true



       warn
        message
        = Subject: ****SPAM**** $h_Subject:



       spam 






= nobody


       warn
        message
        = X-Spam-Flag: YES



       spam
        = nobody



       warn
        message
        = This message scored $spam_score points. Congratulations!



       spam
        = nobody:true



       condition
        = ${if >{$spam_score_int}{50}{1}{0}}



       deny
        message
        = This message scored $spam_score points. Congratulations!



       spam
        = nobody:true



       condition
        = ${if >{$spam_score_int}{200}{1}{0}}



       warn
        condition
        = ${if !def:h_Message-ID: {1}}



       message
        = Message SHOULD have Message-ID: but does not



       warn
        condition
        = ${if !def:h_Date: {1}}



       message
        = Message SHOULD have Date: but does not



       deny
        message
        = Hiding of file extensions is not allowed!



       log_message
        = Dangerous extension (CLSID hidden)



       regex
        = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$



       warn
        message 




= X-Spam-Score: $spam_score\n\


       X-Spam-Score-Int: $spam_score_int\n\



       X-Spam-Bar: $spam_bar\n\



       X-Spam-Report: $spam_report



       !authenticated
        = *



       condition 



= ${if < {$message_size}{SPAM_FILESIZE_LIMIT}}



       spam 






= spamassassin:true


       defer 
        message 




= Temporary error while spam-scanning. Please try again later.


       log_message 


= message temporarily rejected, because of spam-scan error (maybe timeout)


       !authenticated 
= *



       condition 



= ${if < {$message_size}{SPAM_FILESIZE_LIMIT}}


       condition 



= ${if !def:spam_score}


       deny 


        message 




= This message is classified as UBE (SPAM) and therefore rejected. You scored $spam_score points. Congratulations!


       !authenticated 
= *



       condition 



= ${if >={$spam_score_int}{${lookup mysql{\


















SELECT ((max(spam_threshold)*2+10)*10) AS spam_reject_threshold \


















FROM user \


















WHERE SMTP_allowed='YES' \















}{$value}{15}}}{true}{false}}


       warn 
message 





       = X-Exim-Version: $version_number (build at $compile_date)\n\



       X-Date: $tod_log\n\



       X-Connected-IP: $sender_host_address:$sender_host_port



       warn message 






        = X-Message-Linecount: $message_linecount\n\ 




       X-Body-Linecount: $body_linecount\n\



       X-Message-Size: $message_size\n\



       X-Body-Size: $message_body_size



       warn
        log_message
         = DEBUG 
load_avgx1000: $load_average 
spam_score: $spam_score 
message_size: $message_size



       accept



     begin routers



     reject_domains:





driver = redirect




domains = +blocked_domains




allow_fail




data = :fail: AlDimna mail server is down - please try sending your message again later.


     uservacation:



       driver = redirect



       domains = +local_domains



       allow_filter



       hide_child_in_errmsg



       ignore_eacces



       ignore_enotdir



       reply_transport = autoreply_reply



       no_verify



       file_transport = address_file



       pipe_transport = address_pipe



       directory_transport = address_directory



       require_files = /var/mail/${domain}/${local_part}/.autoreply.vacation.conf



       file = /var/mail/${domain}/${local_part}/.autoreply.vacation.conf



       senders = !+noautoreply_senders



       user = mail



       group = mail



       unseen



     userautoreply:



       driver = redirect



       domains = +local_domains



       allow_filter



       hide_child_in_errmsg



       ignore_eacces



       ignore_enotdir



       reply_transport = autoreply_reply



       no_verify



       file_transport = address_file



       pipe_transport = address_pipe



       directory_transport = address_directory



       require_files = /var/mail/${domain}/${local_part}/.autoreply.conf



       file = /var/mail/${domain}/${local_part}/.autoreply.conf



       user = mail



       group = mail



     userfilter:



       driver = redirect



       domains = +local_domains



       allow_filter



       hide_child_in_errmsg



       ignore_eacces



       ignore_enotdir



       reply_transport = autoreply_reply



       no_verify



       file_transport = address_file



       pipe_transport = address_pipe



       directory_transport = address_directory



       require_files = /var/mail/${domain}/${local_part}/.filter.conf



       file = /var/mail/${domain}/${local_part}/.filter.conf



       user = mail



       group = mail



     dnslookup:




driver = dnslookup



domains = ! +local_domains



transport = remote_smtp



ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8



no_more


     mysql_all_domain_alias:




 driver 
       = redirect




 domains 
       = +local_domains




 local_parts 
       = alle




 data 
       = ${lookup mysql{ \





        SELECT CONCAT(username,'@',domain) AS sendto \



       FROM user \



       WHERE domain='${quote_mysql:$domain}' \



       AND SMTP_allowed='YES' \




}}



 condition 
       = ${if or {{\





       def:authenticated_id\





}{\






        eq {$sender_host_address}{127.0.0.1}\





}}\



}



file_transport = address_file



pipe_transport = address_pipe


     mysql_alias:




 driver 
       = redirect





 domains 
       = +local_domains




 file_transport 
       = address_file




 pipe_transport 
       = address_pipe




 data 
       = ${if or {{\









        def:authenticated_id\





}{\




        eq {$sender_host_address}{127.0.0.1}\





}}{\




       ${lookup mysql{ \



       SELECT sendto \



       FROM alias \



       WHERE ( username='${quote_mysql:$local_part}' \



       AND (domain='${quote_mysql:$domain}' OR domain='') )}}\





} {\


       ${lookup mysql{ \



       SELECT sendto \



       FROM alias \



       WHERE ( ( username='${quote_mysql:$local_part}' AND (domain='${quote_mysql:$domain}' OR domain='') ) \



       AND internal='NO' )}}\





}}



 local_part_suffix 
       = +*




local_part_suffix_optional


     mysql_user_condition:




 driver 
       = accept




 domains 
       = +local_domains




 caseful_local_part 
        = true




 condition 
       = ${if and {{\





       eq {${lookup mysql{ \



       SELECT CONCAT(username,'@',domain) AS email \



       FROM user \



       WHERE username='${quote_mysql:$local_part}' \



       AND domain='${quote_mysql:$domain}' \



       AND SMTP_allowed='YES' \



       }{true}{false}}}{true}\






}{\


       or {{\



       and {{\



       eq {${sg{$local_part_suffix}{^






        }{\



       lt {$tod_logfile}{${sg{$local_part_suffix}{^












        }\








}\



}{\


       and {{\



       eq {${sg{$local_part_suffix}{^





}{\


       eq {$sender_address_domain}{${sg{$local_part_suffix}{^











}\





        }\







}{\


       and {{\



       eq {${sg{$local_part_suffix}{^









}{\


       eq {${str2b64:$sender_address}}{${sg{$local_part_suffix}{^














}\





        }\







}\


       }\




}\





}\



}



 local_part_suffix 
       =





 transport 
       = local_mysql_delivery



     mysql_user:




 driver 
       = accept




 domains 
       = +local_domains




 condition 
       = ${lookup mysql{ \





       SELECT CONCAT(username,'@',domain) AS email \



       FROM user \



       WHERE username='${quote_mysql:$local_part}' \



       AND domain='${quote_mysql:$domain}' \



       AND SMTP_allowed='YES' \




}{true}{false}}



 local_part_suffix 
       = +*




local_part_suffix_optional



 transport 
       = local_mysql_delivery 






no_more


     mysql_catchall:




 driver 
       = redirect




 domains 
       = +local_domains




 file_transport 
       = address_file




 pipe_transport 
       = address_pipe




 data 
       = ${lookup mysql{ \







        SELECT sendto \



       FROM catchall \



       WHERE domain='${quote_mysql:$domain}' \




}}


     system_aliases:




driver = redirect



allow_fail



allow_defer



data = ${lookup{$local_part}lsearch{/etc/mail.d/exim.d/aliases}}



file_transport = address_file



pipe_transport = address_pipe


     localuser:




driver = accept



check_local_user



transport = local_delivery



cannot_route_message = Unknown user


     uservacation:



       driver = redirect



       domains = +local_domains



       allow_filter



       hide_child_in_errmsg



       ignore_eacces



       ignore_enotdir



       reply_transport = autoreply_reply



       no_verify



       file_transport = address_file



       pipe_transport = address_pipe



       directory_transport = address_directory



       require_files = /var/mail/${domain}/${local_part}/.autoreply.vacation.conf



       file = /var/mail/${domain}/${local_part}/.autoreply.vacation.conf



       senders = !+noautoreply_senders



       user = mail



       group = mail



       unseen



     userautoreply:



       driver = redirect



       domains = +local_domains



       allow_filter



       hide_child_in_errmsg



       ignore_eacces



       ignore_enotdir



       reply_transport = autoreply_reply



       no_verify



       file_transport = address_file



       pipe_transport = address_pipe



       directory_transport = address_directory



       require_files = /var/mail/${domain}/${local_part}/.autoreply.conf



       file = /var/mail/${domain}/${local_part}/.autoreply.conf



       user = mail



       group = mail



     userfilter:



       driver = redirect



       domains = +local_domains



       allow_filter



       hide_child_in_errmsg



       ignore_eacces



       ignore_enotdir



       reply_transport = autoreply_reply



       no_verify



       file_transport = address_file



       pipe_transport = address_pipe



       directory_transport = address_directory



       require_files = /var/mail/${domain}/${local_part}/.filter.conf



       file = /var/mail/${domain}/${local_part}/.filter.conf



       user = mail



       group = mail



     begin retry



     * 











*




F,15m,5m; F,2h,15m; G,16h,1h,1.5; F,4d,6h


     begin rewrite



     begin authenticators



     plain:



     driver 
       = plaintext



     public_name 
       = PLAIN



     server_advertise_condition 
        = ${if eq{$tls_cipher}{}{no}{yes}}



     server_condition 
       = ${if crypteq {$3}{\{sha1\}${lookup mysql{ \



       SELECT password \



       FROM user \



       WHERE CONCAT(username,'@',domain)='${quote_mysql:$2}' \



       AND SMTPAUTH_allowed='YES' \









}}}{yes}{no}}


     server_set_id 
       = $2



     login:



     driver 
       = "plaintext"



     public_name 
       = "LOGIN"



     server_prompts 
       = Username:: : Password::



     server_advertise_condition 
        = ${if eq{$tls_cipher}{}{no}{yes}}



     server_condition 
       = ${if crypteq {$2}{\{sha1\}${lookup mysql{ \



       SELECT password \



       FROM user \



       WHERE CONCAT(username,'@',domain)='${quote_mysql:$1}' \



       AND SMTPAUTH_allowed='YES' \





}}}{yes}{no}}


     server_set_id 
       = $1














      From:  Exim-users   on behalf of kuncho pencho  
  Sent:  Wednesday, July 13, 2016 1:05:07 PM
  To:  exim-users@???
  Subject:  Re: [exim] Exim server maillog are flood by spam attemps?  









     Hi,




Could you post your acl's?



Best Regards.


















>-------- Оригинално писмо --------





>От: Flan AlFlani solo9300@???





>Относно: Re: [exim] Exim server maillog are flood by spam attemps?





>До: kuncho pencho






>Изпратено на: 13.07.2016 15:52














.abv-omExternalClass P { margin-top: 0; margin-bottom: 0; }





























hello kuncho pencho ,


































I do use








blacklist but some how the spam seem to come back with

different email and Host

.




















































2016-07-13 07:41:58 [9900] 1bNJTx-0002Zd-1P => info@??? F=
P=
R=dnslookup T=remote_smtp S=3925 H=mhmxha.tele.net [194.183.128.88]:25 C="250 2.0.0 u6DCgNFs032212 Message accepted for delivery" QT=17s DT=4s

























































































Sincerely,































































From:
Exim-users

on behalf of kuncho pencho



Sent:
Wednesday, July 13, 2016 9:45 AM


To:
exim-users@???


Subject:
Re: [exim] Exim server maillog are flood by spam attemps?


































































Hi,





















Do you use any blacklist? If not, make it. Something like that:































      https://www.tekovic.com/exim-acl-for-blocking-certain-senders  






















Best Regards.




































































































>-------- Оригинално писмо --------
























>От: Flan AlFlani solo9300@???
























>Относно: [exim] Exim server maillog are flood by spam attemps?
























>До: "exim-users@???"



























>Изпратено на: 13.07.2016 07:07

































My log is flooded with those spam attemps and I wonder if there is a ACL can stop those attemps.











































maillog (this is just a sample, my log will be over a 1000 line in an hour)











































2016-07-09 22:00:32 [2252] 1bM4ys-0000aK-QP H=192-159-50-175.oolw.qwirelessbb.net (avovj.com) [192.159.50.175]:41053 I=[10.0.1.1]:465 Warning: DEBUG


load_avgx1000: 40


spam_score: 3.2


message_size: 3497





















2016-07-09 22:00:32 [2252] 1bM4ys-0000aK-QP


faisal.alazemi@???


H=192-159-50-175.oolw.qwirelessbb.net (avovj.com) [192.159.50.175]:41053 I=[10.0.1.1]:465 P=esmtpsa X=UNKNOWN:AES256-GCM-SHA384:256 CV=no A=login:faisal.alazemi@??? S=5167 id=0000b8dcc2ec$88e3d824$09deabe2$@??? T="nouvelles" from


faisal.alazemi@??? > for


siew3748@???


kammari.murali@???


kanopi@???


karenyesujin@???


kerct1969@???





















2016-07-09 22:00:32 [2401] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bM4ys-0000aK-QP





















2016-07-09 22:00:34 [2401] 1bM4ys-0000aK-QP =>


kammari.murali@???


F= faisal.alazemi@??? > P= faisal.alazemi@??? > R=dnslookup T=remote_smtp S=4156 H=gmail-smtp-in.l.google.com [74.125.136.27]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com" C="250 2.0.0 OK 1468119641 qt8si326075wjc.22 - gsmtp" QT=4s DT=2s





















2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP =>


siew3748@???


F= faisal.alazemi@??? > P= faisal.alazemi@??? > R=dnslookup T=remote_smtp S=4156 H=mta5.am0.yahoodns.net [98.138.112.33]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=*.am0.yahoodns.net" C="250 ok dirdel 4/0" QT=9s DT=7s





















2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP ->


kanopi@???


F= faisal.alazemi@??? > P= faisal.alazemi@??? > R=dnslookup T=remote_smtp S=4156 H=mta5.am0.yahoodns.net [98.138.112.33]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=*.am0.yahoodns.net" C="250 ok dirdel 4/0" QT=9s DT=7s





















2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP ->


karenyesujin@???


F= faisal.alazemi@??? > P= faisal.alazemi@??? > R=dnslookup T=remote_smtp S=4156 H=mta5.am0.yahoodns.net [98.138.112.33]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=*.am0.yahoodns.net" C="250 ok dirdel 4/0" QT=9s DT=7s





















2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP ->


kerct1969@???


F= faisal.alazemi@??? > P= faisal.alazemi@??? > R=dnslookup T=remote_smtp S=4156 H=mta5.am0.yahoodns.net [98.138.112.33]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=*.am0.yahoodns.net" C="250 ok dirdel 4/0" QT=9s DT=7s





















2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP Completed QT=9s











































2016-07-09 22:00:41 [2252] 1bM4z2-0000aK-1R H=192-159-50-175.oolw.qwirelessbb.net (avovj.com) [192.159.50.175]:41053 I=[10.0.1.1]:465 Warning: DEBUG


load_avgx1000: 30


spam_score: 1.2


message_size: 3405





















2016-07-09 22:00:41 [2252] 1bM4z2-0000aK-1R


faisal.alazemi@???


H=192-159-50-175.oolw.qwirelessbb.net (avovj.com) [192.159.50.175]:41053 I=[10.0.1.1]:465 P=esmtpsa X=UNKNOWN:AES256-GCM-SHA384:256 CV=no A=login:faisal.alazemi@??? S=5002 id=00007bfddeb3$b987df01$0586e10c$@??? T="c\342\200\231est si excitant" from


faisal.alazemi@??? > for


florencekhaw@???


sweetlin@???


ticiku@???


yhkhor@???


greenven@???





















2016-07-09 22:00:41 [2444] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bM4z2-0000aK-1R





















2016-07-09 22:00:44 [2444] 1bM4z2-0000aK-1R =>


florencekhaw@???


F= faisal.alazemi@??? > P= faisal.alazemi@??? > R=dnslookup T=remote_smtp S=4060 H=gmail-smtp-in.l.google.com [74.125.136.27]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com" C="250 2.0.0 OK 1468119651 y142si5687414wme.31 - gsmtp" QT=4s DT=2s





















2016-07-09 22:00:44 [2444] 1bM4z2-0000aK-1R ->


ticiku@???


F= faisal.alazemi@??? > P= faisal.alazemi@??? > R=dnslookup T=remote_smtp S=4060 H=gmail-smtp-in.l.google.com [74.125.136.27]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com" C="250 2.0.0 OK 1468119651 y142si5687414wme.31 - gsmtp" QT=4s DT=2s





















2016-07-09 22:00:46 [2444] 1bM4z2-0000aK-1R =>


sweetlin@???


F= faisal.alazemi@??? > P= faisal.alazemi@??? > R=dnslookup T=remote_smtp S=4060 H=mx4.hotmail.com [65.55.37.104]:25 X=UNKNOWN:ECDHE-RSA-AES256-SHA384:256 CV=no DN="/CN=*.hotmail.com" C="250






Queued mail for delivery" QT=6s DT=4s





















2016-07-09 22:00:51 [2444] 1bM4z2-0000aK-1R =>


greenven@???


F= faisal.alazemi@??? > P= faisal.alazemi@??? > R=dnslookup T=remote_smtp S=4060 H=mta5.am0.yahoodns.net [98.138.112.35]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=*.am0.yahoodns.net" C="250 ok dirdel" QT=11s DT=5s





















2016-07-09 22:02:51 [2450] 1bM4z2-0000aK-1R mailrelay.tab.com.my [202.188.95.55]:25 Connection timed out





















2016-07-09 22:02:51 [2444] 1bM4z2-0000aK-1R ==


yhkhor@???


R=dnslookup T=remote_smtp defer (110): Connection timed out





















2016-07-09 22:07:25 [2668] 1bM4z2-0000aK-1R ==


yhkhor@???


R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host





















2016-07-09 22:44:09 [3190] 1bM4z2-0000aK-1R mailrelay.tab.com.my [202.188.95.55]:25 Connection timed out





















2016-07-09 22:44:09 [3189] 1bM4z2-0000aK-1R ==


yhkhor@???


R=dnslookup T=remote_smtp defer (110): Connection timed out





















2016-07-09 23:18:58 [5210] 1bM4z2-0000aK-1R mailrelay.tab.com.my [202.188.95.55]:25 Connection timed out





















2016-07-09 23:18:58 [5209] 1bM4z2-0000aK-1R ==


yhkhor@???


R=dnslookup T=remote_smtp defer (110): Connection timed out





















2016-07-09 23:44:40 [5472] 1bM4z2-0000aK-1R mailrelay.tab.com.my [202.188.95.55]:25 Connection timed out





















2016-07-09 23:44:40 [5471] 1bM4z2-0000aK-1R ==


yhkhor@???


R=dnslookup T=remote_smtp defer (110): Connection timed out





















2016-07-10 00:30:50 [6963] 1bM4z2-0000aK-1R mailrelay.tab.com.my [202.188.95.55]:25 Connection timed out





















2016-07-10 00:30:50 [6962] 1bM4z2-0000aK-1R ==


yhkhor@???


R=dnslookup T=remote_smtp defer (110): Connection timed out





















2016-07-10 00:42:08 [7311] 1bM4z2-0000aK-1R ==


yhkhor@???


R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host





















2016-07-10 01:25:13 [9147] 1bM4z2-0000aK-1R ==


yhkhor@???


R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host





















2016-07-10 01:47:06 [9578] 1bM4z2-0000aK-1R failed to expand "${lookup mysql {SELECT domain FROM user WHERE domain='${quote_mysql:$domain}' UNION SELECT domain FROM alias WHERE domain='${quote_mysql:$domain}' UNION SELECT domain FROM catchall WHERE domain='${quote_mysql:$domain}'}}" while checking a list: lookup of "SELECT domain FROM user WHERE domain='tm.net.my' UNION SELECT domain FROM alias WHERE domain='tm.net.my' UNION SELECT domain FROM catchall WHERE domain='tm.net.my'" gave DEFER: MYSQL connection failed: Can't connect to local MySQL server through socket '/run/mysqld/mysqld.sock' (2 "No such file or directory")





















2016-07-10 01:47:06 [9578] 1bM4z2-0000aK-1R ==


yhkhor@???


R=uservacation defer (-1): domains check lookup or other defer





















2016-07-10 01:47:23 [9742] 1bM4z2-0000aK-1R ==


yhkhor@???


routing defer (-51): retry time not reached





















2016-07-10 01:47:24 [9801] cwd=/home/admin 68 args: exim -Mrm 1bM4z2-0000aK-1R 1bM51q-0000fL-1B 1bM52c-0000fL-AK 1bM52l-0000fL-Mn 1bM52v-0000fL-4U 1bM56n-0000hM-8O 1bM56r-0000hM-UJ 1bM575-0000hM-Hi 1bM5TM-0000li-AB 1bM5TS-0000li-Ra 1bM5Yq-0000mp-Gt 1bM5d4-0000pM-Jt 1bM5l8-0000qH-SC 1bM5lE-0000qH-Oq 1bM5lQ-0000qH-Gy 1bM5lT-0000qH-Kj 1bM5ld-0000qH-FR 1bM5mA-0000se-IN 1bM5mH-0000se-Jy 1bM5mP-0000se-65 1bM68I-0001Eg-Sw 1bM68x-0001Eg-ID 1bM6Xu-0001Pi-OD 1bM6ba-0001QJ-I8 1bM6bk-0001QJ-Om 1bM6bs-0001QJ-AT 1bM6bz-0001QJ-AL 1bM6c4-0001QJ-P4 1bM6cD-0001QJ-1b 1bM6oE-0001Si-IX 1bM6oR-0001Si-23 1bM6oX-0001Si-GL 1bM6yf-0001e4-Mf 1bM6yp-0001e4-TJ 1bM71Z-0001g8-2B 1bM71g-0001g8-Qm 1bM71o-0001g8-6z 1bM71t-0001g8-9L 1bM75g-0001jI-B6 1bM75t-0001jI-7W 1bM75z-0001jI-I3 1bM7Ki-0001pf-6t 1bM7Kv-0001pf-6e 1bM7L8-0001pn-Mk 1bM7dj-0001vg-2a 1bM7e1-0001vg-3w 1bM7e6-0001vg-TP 1bM7hP-0001xz-VL 1bM7kZ-00020e-19 1bM7kf-00020e-AH 1bM7kn-00020e-0G 1bM7ks-00020e-6h 1bM7ky-00020e-8q 1bM7l2-00020e-Or 1bM7l7-00


0












20e-Ay 1bM7lC-00020e-8N 1bM7lI-00020e-6R 1bM7lN-00020e-Eh 1bM7qH-0002Bu-Mm 1bM7qY-0002Bu-IK 1bM8E9-0002OG-0J 1bM8EB-0002OG-HP 1bM8EE-0002OG-0j 1bM8EG-0002OG-GX 1bM8EI-0002OG-W7 1bM8EQ-0002OG-GW





















2016-07-10 01:47:24 [9801] 1bM4z2-0000aK-1R removed by root





















2016-07-10 01:47:24 [9801] 1bM4z2-0000aK-1R Completed

































































any help would be greatly appreciated





















--





















## List details at













      https://lists.exim.org/mailman/listinfo/exim-users 























## Exim details at












      http://www.exim.org/ 























## Please use the Wiki with this list -












      http://wiki.exim.org/ 












--










## List details at









      https://lists.exim.org/mailman/listinfo/exim-users  











## Exim details at









      http://www.exim.org/  











## Please use the Wiki with this list -









      http://wiki.exim.org/  





























--

 ## List details at 
      https://lists.exim.org/mailman/listinfo/exim-users 


 ## Exim details at 
      http://www.exim.org/ 


 ## Please use the Wiki with this list - 
      http://wiki.exim.org/