Re: [exim] how to block an email sent using a script in EXIM

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: DL
Data:  
Para: Evgeniy Berdnikov, exim-users
Assunto: Re: [exim] how to block an email sent using a script in EXIM
Hello

thank you all.
Unluckly cPanel enviroment allows the usage of /usr/sbin/sendmail as alternative to
SMTP auth , so the hacker is free to use sendmail to send out spam.
And sendmail is not a symlink (is a binary) and if I replace it with a bash script , cPanel will fix it with the daily update so it's not a solution.

So , there is no way to configure exim.conf to block outgoing email sent from

cwd=/home/nordic/public_html


?

In this case if the customer is not online to fix his CMS , I need to change permissions in

/home/nordic/public_html to stop the outgoing activity . This is not a good solution because in this was his site will be off line.
For this reason I'm searching a way to block only the email sent from cwd=/home/nordic/public_html


Thank you
Graziano

> On Sat, Aug 03, 2019 at 09:25:29AM +0200, DL via Exim-users wrote:
>> Sometimes one of these accounts using a CMS get hacked, and the hacker is able to send out spam email using a CMS php vulnerability.
>> When it happens I see hundred of rows like this below in EXIM log:
>>
>> 2019-07-29 06:40:30 cwd=/home/nordic/public_html 4 args: /usr/sbin/sendmail -t -i -p125
>>
>> My question is, may I configure temporarily exim.conf to block any email sent from:
>>
>> /home/nordic/public_html
> As /usr/sbin/sendmail is usually symlink to Exim, you can substitute it
> with wrapper script, i.e. something like:
>
> ------------------------------------------------------------------------
> #!/bin/sh
> case "`pwd`" in /home/nordic/public_html )
>    cat - > /dev/null ; exit ;;
> esac
> exec /usr/sbin/exim "$@"
> ------------------------------------------------------------------------

>
> Put any desired logic here. But note that this approach does not protect
> against direct invocation of Exim, forcing SMTP+AUTH might be better.