Re: [exim] how to block an email sent using a script in EXIM

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMNiels Dettenbach (Syndicat IT & Internet) at <-
.MDL at ->
Delete this message
Reply to this message
Author: Evgeniy Berdnikov
Date:  
To: exim-users
Subject: Re: [exim] how to block an email sent using a script in EXIM
On Sat, Aug 03, 2019 at 09:25:29AM +0200, DL via Exim-users wrote:
> Sometimes one of these accounts using a CMS get hacked, and the hacker is able to send out spam email using a CMS php vulnerability.
> When it happens I see hundred of rows like this below in EXIM log:
>
> 2019-07-29 06:40:30 cwd=/home/nordic/public_html 4 args: /usr/sbin/sendmail -t -i -p125
>
> My question is, may I configure temporarily exim.conf to block any email sent from:
>
> /home/nordic/public_html

As /usr/sbin/sendmail is usually symlink to Exim, you can substitute it
with wrapper script, i.e. something like:

------------------------------------------------------------------------
#!/bin/sh
case "`pwd`" in /home/nordic/public_html )
cat - > /dev/null ; exit ;;
esac
exec /usr/sbin/exim "$@"
------------------------------------------------------------------------

Put any desired logic here. But note that this approach does not protect
against direct invocation of Exim, forcing SMTP+AUTH might be better.
--
Eugene Berdnikov

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] how to block an email sent using a script in EXIMRe: [exim] how to block an email sent using a script in EXIM->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)