--On 9 July 2006 20:32:03 -0400 "Bridgit Griffin (Withers)" <[EMAIL PROTECTED]> wrote:
> Hi, > > Recently, since late Jun, I have been seeing spam that appears to be > sent from an email alias I have. However, closer inspection of the spam > headers shows that someone connected into the smtp server (Exim ver > 4.52) then sent it out using my alias. > > My question is this an exploit or a configuration problem? I think you mean "is this a vulnerability or a configuration problem"? An vulnerability is not an exploit, merely an opportunity that could be exploited for nefarious means. In fact, this is a design flaw in the way Internet email works. It's quite complex, but there are ways of configuring Exim to work within the design but minimise the flaw. For example, it would be possible to configure the server such that it will only accept email from your domain when you are logged in to the server with a secure password. However, that will produce side effects that might not be acceptable to you, which is why it is not done by default. > My other question is there a way to shut this down? Or can I get enough > info to bring to my hosting provider so they can fix whatever problem > maybe on their side? You could ask them to require authenticated SMTP for email purporting to be from your domains. However, you'll need to be sure that your MUA is configured to support that - and similarly for any other people sending email from those domains. You also need to be aware that this could break your membership of some mailing lists (you might not see emails that you've sent to the list). Furthermore, you need to decide whether you want the Message Headers inspected, as well as the envelope (which you can't see here). It's entirely possible that the sender address given in the envelope isn't the address in the "From:" header. > Please note I do not have control over the smtp server, my hosting > provider does. Also there are no email accounts associated with the > domains. This has happened on 4 different domains that I have. Please > see a sample of the header below. > > Thanks! > > Received: from [220.70.206.152] (port=4460 helo=67.19.170.34) > by mustang.websitewelcome.com with smtp (Exim 4.52) > id 1Fv3uo-0006yP-G2 for [EMAIL PROTECTED]; Mon, > 26 Jun 2006 22:07:03 -0500 > Date: Mon, 26 Jun 2006 23:07:10 -0400 (EDT) > Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com > From: [EMAIL PROTECTED] > Subject: Re: hi > To: [EMAIL PROTECTED] > Message-id: <[EMAIL PROTECTED]> > X-AntiAbuse: This header was added to track abuse, > please include it with any abuse report > X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com > X-AntiAbuse: Original Domain - colonichealth.net > X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] > X-AntiAbuse: Sender Address Domain - colonichealth.net > > > Received: from [60.179.219.85] (port=1166 > helo=85.219.179.60.broad.nb.zj.dynamic.cndata.com) by > mustang.websitewelcome.com with smtp (Exim 4.52) > id 1FvZCG-000049-4X for [EMAIL PROTECTED]; Wed, 28 Jun 2006 07:31:15 > -0500 Date: Wed, 28 Jun 2006 08:31:22 -0400 (EDT) > Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com > From: [EMAIL PROTECTED] > Subject: Something for your site.. > To: [EMAIL PROTECTED] > Message-id: <[EMAIL PROTECTED]> > X-AntiAbuse: This header was added to track abuse, > please include it with any abuse report > X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com > X-AntiAbuse: Original Domain - nceweb.com -- Ian Eiloart IT Services, University of Sussex -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
