Re: [exim] Hit with some kind of hidden multiple recipient…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Sebastian Nielsen
Date:  
À: 'Mailing List'
Sujet: Re: [exim] Hit with some kind of hidden multiple recipients relay hack?
I suspect someone hacked one of your SMTP passwords.
Theres bots out there that guess passwords.

If you use SMTP submission, then firewall port 587 to the IPs your users
use.
Otherwise, if you accept authenticated submission on port 25, then add
following line to your config:

auth_advertise_hosts = IP/CIDR : IP/CIDR : IP/CIDR

where IP/CIDR is a network in CIDR format, for example: 192.168.0.0/16

this will lock out authentication so it cannot happen from unauthorized
hosts, thus bots will not be able to crack the password, as theres no
possibility to submit a password without having the IP authorized.

-----Ursprungligt meddelande-----
Från: Jeremy Harris via Exim-users <exim-users@???>
Skickat: den 24 februari 2022 22:08
Till: exim-users@???
Ämne: Re: [exim] Hit with some kind of hidden multiple recipients relay
hack?

On 22/02/2022 18:39, Henry S. Thompson via Exim-users wrote:
> I came back from a few days out of town to find 1000s of frozen queue
> entries and my server blacklisted by gmail. Here's a sample:
>
>    : mailq | head -20
>     6d  1.3K 1nKNYR-000bDv-0w <test@???> *** frozen ***
>            D 0002arun@???
>            D 0005ace@???
>            D 00076alek@???
>            D 0007sd@???
>            D 000top@???
>            D 001adline@???
>            D 001andrecarter@???
>            D 001mayer@???
>            D 001ndumiso@???
>            D 001ontu@???
>            D 001oricom@???
>            D 002samudra@???
>            D 002xyz@???
>              003garciab1@???
>            D 0069kh@???
>            D 007forme@???

>
> And here's what that item looks like in detail:
>
>    : exim4 -Mvc 1nKNYR-000bDv-0w|head -20
>    Received: from [103.104.169.173] (helo=ogcb16c7f19.openstacklocal)
>            by home.hst.name with esmtp (Exim 4.94.2)
>            (envelope-from <test@???>)
>            id 1nKNYR-000bDv-0w; Wed, 16 Feb 2022 16:53:23 +0000
>    Content-Type: text/plain; charset="utf-8"
>    MIME-Version: 1.0
>    Content-Transfer-Encoding: quoted-printable
>    Content-Description: Mail message body
>    Subject: From The Commissioner Debt Management Service
>    To: Recipients <test@???>
>    From: "Mr. Timothy Gribben" <test@???>
>    Date: Thu, 17 Feb 2022 00:53:15 +0800
>    Reply-To: timothygribs00@???

>
>    ...

>
> I don't have open relaying set up, at least I don't think so, and a
> few online checkers agree...
>
> How is this happening/where are the recipients coming from?


Start with your log. How was 1nKNYR-000bDv-0w submitted?

From the headers:
Is "home.hst.name" your system? (PS: Obfuscation makes it
harder to help). Is [103.104.169.173] on your net?

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/