Hello all I'm having a heck of a problem. My system supposedly does not allow unauthorized relaying, yet Exim V4 is apparently sending out hundreds and hundreds of messages (to persons-YDxpq3io04c at public.gmane.org). - It would seem they are "from" apache-WYle8UNbkfMGClDRh0WFwpAGcjtitEbrAL8bYrjMMd8 at public.gmane.org - Their source is P=local (not smtp) Somehow, these messages are originating from my system. (not relayed from somewhere else) - Local user p911-alan is the first recipient. His message shows that there is one (and only one) additional "To" who is a non-existent person-PyrWk/hl1m8sac7YOPP9X1aTQe2KTcn/@public.gmane.org - /var/log/exim/main.log shows a heck of a lot of other people are being sent that same message Does anyone have any suggestions? I'd sure like to know how this guy is doing it... exigrep extract re: 2003-12-10 22:05:56 1AUH9I-0000Eb-Qr <= apache-WYle8UNbkfMGClDRh0WFwpAGcjtitEbrAL8bYrjMMd8 at public.gmane.org U=apache P=local S=3387 T="Adobe Photoshop" lowest numbered MX record points to local host: www.perimeter911.com == cristi898-PyrWk/hl1m8sac7YOPP9X1aTQe2KTcn/@public.gmane.org R=lookuphost defer (-1): lowest numbered MX record points to local host => p911-alan <answers-I2tnHk3vA3RB9i3/4EaAEw at public.gmane.org> R=local_director T=maildir_delivery Remote host mailin-02.mx.aol.com [205.188.159.57] closed connection in response to end of data => mawwwwwwww-YDxpq3io04c at public.gmane.org R=lookuphost T=remote_smtp H=mailin-02.mx.aol.com [205.188.159.57] -> gwbw2-YDxpq3io04c at public.gmane.org R=lookuphost T=remote_smtp H=mailin-02.mx.aol.com [205.188.159.57] -> ..and hundreds of more recipient-5uyhOP+zmq2tXF2fZOsJYA at public.gmane.org -- -------------------------------------- Please do not respond in HTML Alan Cohen alan-QVObF66B6qeOg/Yh5kgvkFaTQe2KTcn/@public.gmane.org voice: 416-783-9826 fax: 240-269-7457 -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
I just went through a few weeks of security and server hell. I would save you some pain. A. Get a seperate firewall box if you do not currently have one. I would recommend running your servers behind the firewall with a NAT address. (ie. no bastion servers) (opinions will vary here) I chose the SmoothWall 2.0. I one happy admin now with my network, server setup. (ask me how happy :) B. use tcpdump or lsof -i other other network tools to see what remote connections are there during these spammings. C. blocking out just that one spammer network block or IP is useless. since it doesnt fix the systemic problem with security. D. Review your system top down for security and reset all passwords in the system. You can maybe skip this step, but thats your call. E. Others in this list more qualified than I may save you (and I) some future steps or caveats. ----- Original Message ----- From: "Alan Cohen" <alan-QVObF66B6qeOg/Yh5kgvkFaTQe2KTcn/@public.gmane.org> To: <tlug-lxSQFCZeNF4 at public.gmane.org> Sent: Wednesday, December 10, 2003 11:45 PM Subject: [TLUG]: Exim problem
Hello all
I'm having a heck of a problem. My system supposedly does not allow unauthorized relaying, yet Exim V4 is apparently sending out hundreds and hundreds of messages (to persons-YDxpq3io04c at public.gmane.org).
- It would seem they are "from" apache-WYle8UNbkfMGClDRh0WFwpAGcjtitEbrAL8bYrjMMd8 at public.gmane.org - Their source is P=local (not smtp) Somehow, these messages are originating from my system. (not relayed from somewhere else)
- Local user p911-alan is the first recipient. His message shows that there is one (and only one) additional "To" who is a non-existent person-PyrWk/hl1m8sac7YOPP9X1aTQe2KTcn/@public.gmane.org - /var/log/exim/main.log shows a heck of a lot of other people are being sent that same message
Does anyone have any suggestions? I'd sure like to know how this guy is doing it...
exigrep extract re: 2003-12-10 22:05:56 1AUH9I-0000Eb-Qr
<= apache-WYle8UNbkfMGClDRh0WFwpAGcjtitEbrAL8bYrjMMd8 at public.gmane.org U=apache P=local S=3387 T="Adobe Photoshop"
lowest numbered MX record points to local host: www.perimeter911.com
== cristi898-PyrWk/hl1m8sac7YOPP9X1aTQe2KTcn/@public.gmane.org R=lookuphost defer (-1): lowest numbered MX record points to local host
=> p911-alan <answers-I2tnHk3vA3RB9i3/4EaAEw at public.gmane.org> R=local_director T=maildir_delivery
Remote host mailin-02.mx.aol.com [205.188.159.57] closed connection in response to end of data
=> mawwwwwwww-YDxpq3io04c at public.gmane.org R=lookuphost T=remote_smtp H=mailin-02.mx.aol.com [205.188.159.57] -> gwbw2-YDxpq3io04c at public.gmane.org R=lookuphost T=remote_smtp H=mailin-02.mx.aol.com [205.188.159.57] -> ..and hundreds of more recipient-5uyhOP+zmq2tXF2fZOsJYA at public.gmane.org
-- -------------------------------------- Please do not respond in HTML Alan Cohen alan-QVObF66B6qeOg/Yh5kgvkFaTQe2KTcn/@public.gmane.org voice: 416-783-9826 fax: 240-269-7457
-- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
-- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
participants (2)
-
alan-QVObF66B6qeOg/Yh5kgvkFaTQe2KTcn/@public.gmane.org -
teddymills-VFlxZYho3OA@public.gmane.org