Re: [exim] Disbaling mails being sent via localhost

Wed, 05 Feb 2014 02:11:31 -0800 

Hi,

soumya tr <[email protected]> (Mi 05 Feb 2014 10:49:57 CET):
> Hi,
> 
> I am having issues, were in some customers account has been hacked, and
> malicious php scripts are added to sent out mails using socket creation
> method [ it is similar to sending out mails like telnet localhost 25 ]
> 
> The respective logs:
> 
> 2014-02-05 09:43:50 1WAz1K-001Zgy-HT H=localhost [127.0.0.1]:50015 Warning:
> "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT
> spam (-1.0)"
> 2014-02-05 09:43:50 1WAz1K-001Zgy-HT <= [email protected] H=localhost
> [127.0.0.1]:50015 P=smtp S=825
> [email protected]="=?utf-8?B?0JrQsNC6INC30LAg0LzQtdGB0Y/RhiDQt9Cw0YDQsNCx0L7RgtCw0YLRjCA4Nzk1JD8=?="
> for [email protected]
> 
> This is creating spamming issues, and blacklist of servers. If I disable
> port 25 connections to localhost, the mail functionality would be affceted
> [as cron mails are sent via localhost]. Is there any way I can handle this
> situation.

Cron mails are sent using /usr/sbin/sendmail, normally. Thus blocking
SMTP to 127.0.0.1 should not affect your cron mails.

You could try  to install an identd and
use it's information:
---
    rfc1413_hosts = 127.0.0.1
    rfc1413_timeout = 10s

    acl_smtp_connect = acl_check_smtp

    begin acl
    
        acl_check_smtp:

            deny    condition = 
${lookup{$sender_ident}lsearch{/etc/exim/blocked-idents}{1}{0}}
---

An other idea: IPTables (if you're on Linux) has a 'owner' match
extension, thus you can block/accept connections depending on the owner
of the connection.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-

Attachment: signature.asc
Description: Digital signature

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to