Mailing List Archive: Broken in...

Broken in...

Jul 15, 2002, 10:54 AM

Post #1 of 3 (336 views)

Hello,

It seems someone found a hole in our Exim 3.12 system over the weekend and
started using our email server to relay junk email. The turning off relay was already
in place. They found some other hole by using a specific username. I have had to
turn off this username via the system filter to temporarily disable the stream of email
filling up the mail queue. Now the log has a whole bunch of messages that looks like
this:

2002-07-15 13:30:42 17U9gI-0000uU-00 <= user@ourdomain U=user P=local S=1168
2002-07-15 13:30:42 17U9gI-0000uU-00 => discarded (message_filter)
2002-07-15 13:30:42 17U9gI-0000uU-00 Completed

I have changed the actual username and domain but the general idea should be clear.

The problem is that it does not list sending host or any other info. I do not have enough
knowledge to figure out how to track down where this stuff is coming from...

Does anybody know how I can shut this off? It seems the Exim system thinks these
emails are actually being generated locally?

I found the "forbid_domain_literals" option and set it to true and restarted the Exim 3.12
but maybe that was not the solution.

Please help as I need to make this username accessible again as internal automated emails
are generated via username.

Thanks,

Guru

Re: Broken in... [ In reply to ]

djc at microwave

Jul 15, 2002, 12:56 PM

Post #2 of 3 (323 views)

Permalink

On Mon, 15 Jul 2002, Gururajan Ramachandran wrote:

>
> Hello,
>
> It seems someone found a hole in our Exim 3.12 system over the weekend and
> started using our email server to relay junk email. The turning off relay was already
> in place. They found some other hole by using a specific username. I have had to
> turn off this username via the system filter to temporarily disable the stream of email
> filling up the mail queue. Now the log has a whole bunch of messages that looks like
> this:
>
> 2002-07-15 13:30:42 17U9gI-0000uU-00 <= user@ourdomain U=user P=local S=1168

"P=local" - the message is not entering your system via SMTP, but from a
local process. Perhaps you have an insecure formmail script installed in
the webserver cgi-bin ?

> 2002-07-15 13:30:42 17U9gI-0000uU-00 => discarded (message_filter)
> 2002-07-15 13:30:42 17U9gI-0000uU-00 Completed
>
> I have changed the actual username and domain but the general idea should be clear.
>
> The problem is that it does not list sending host or any other info. I do not have enough
> knowledge to figure out how to track down where this stuff is coming from...
>
> Does anybody know how I can shut this off? It seems the Exim system thinks these
> emails are actually being generated locally?

The *are* being received by exim locally from some other process calling
exim. Where the other processes might be getting them, exim does not
know, nor can it.

>
> I found the "forbid_domain_literals" option and set it to true and restarted the Exim 3.12
> but maybe that was not the solution.
>
> Please help as I need to make this username accessible again as internal automated emails
> are generated via username.
>
> Thanks,
>
> Guru
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>

Re: Broken in... [ In reply to ]

dsh8290 at rit

Jul 15, 2002, 1:02 PM

Post #3 of 3 (325 views)

Permalink

--
On Mon, Jul 15, 2002 at 01:54:12PM -0400, Gururajan Ramachandran wrote:
|
| Hello,
|
| It seems someone found a hole in our Exim 3.12 system over the weekend and
| started using our email server to relay junk email. The turning off
| relay was already in place. They found some other hole by using a
| specific username. I have had to turn off this username via the
| system filter to temporarily disable the stream of email filling up
| the mail queue. Now the log has a whole bunch of messages that looks
| like this:
|
| 2002-07-15 13:30:42 17U9gI-0000uU-00 <= user@ourdomain U=user P=local S=1168
^^^^^^^
| 2002-07-15 13:30:42 17U9gI-0000uU-00 => discarded (message_filter)
| 2002-07-15 13:30:42 17U9gI-0000uU-00 Completed
|
| I have changed the actual username and domain but the general idea
| should be clear.
|
| The problem is that it does not list sending host or any other info.

It came from your own machine. It didn't come from an SMTP session,
but rather someone invoking /usr/sbin/exim and piping the message in.

| I do not have enough knowledge to figure out how to track down where
| this stuff is coming from...
|
| Does anybody know how I can shut this off? It seems the Exim system
| thinks these emails are actually being generated locally?

They are.

| Please help as I need to make this username accessible again as
| internal automated emails are generated via username.

Just a guess, does that user have a 'formmail.pl' script somewhere?
That's a well known way for spammers to use HTTP to anonymously relay
through you and make you look like a spammer.

What I would do is create a shell script of some sort and place it as
/usr/sbin/exim. This wrapper will log everything you can think of (eg
the output of /usr/bin/env) so that you can see how that user is
invoking exim.

HTH,
-D

--
Your beauty should not come from outward adornment, such as braided hair
and the wearing of gold jewelry and fine clothes. Instead, it should be
that of your inner self, the unfading beauty of a gentle and quiet
spirit, which is of GREAT WORTH in God's sight. For this is the way the
holy women of the past used to make themselves beautiful.
I Peter 3:3-5

http://dman.ddts.net/~dman/
--
[ Content of type application/pgp-signature deleted ]
--