Author: Evgeniy Berdnikov Date: To: exim-users Subject: Re: [exim] how to block an email sent using a script in EXIM
On Sat, Aug 03, 2019 at 09:25:29AM +0200, DL via Exim-users wrote: > Sometimes one of these accounts using a CMS get hacked, and the hacker is able to send out spam email using a CMS php vulnerability.
> When it happens I see hundred of rows like this below in EXIM log:
>
> 2019-07-29 06:40:30 cwd=/home/nordic/public_html 4 args: /usr/sbin/sendmail -t -i -p125
>
> My question is, may I configure temporarily exim.conf to block any email sent from:
>
> /home/nordic/public_html
As /usr/sbin/sendmail is usually symlink to Exim, you can substitute it
with wrapper script, i.e. something like:
------------------------------------------------------------------------
#!/bin/sh
case "`pwd`" in /home/nordic/public_html )
cat - > /dev/null ; exit ;;
esac
exec /usr/sbin/exim "$@"
------------------------------------------------------------------------
Put any desired logic here. But note that this approach does not protect
against direct invocation of Exim, forcing SMTP+AUTH might be better.
--
Eugene Berdnikov