On 13.07.2016 06:07, Flan AlFlani wrote:
My log is flooded with those spam attemps and I wonder if there is a ACL can stop those attemps.
These are not attempts, but successful misuse of your server as an open relay! 1st example:
2016-07-09 22:00:32 [2252] 1bM4ys-0000aK-QP H=192-159-50-175.oolw.qwirelessbb.net (avovj.com) [192.159.50.175]:41053 I=[10.0.1.1]:465 Warning: DEBUG load_avgx1000: 40 spam_score: 3.2 message_size: 3497 2016-07-09 22:00:32 [2252] 1bM4ys-0000aK-QP <= [email protected] H=192-159-50-175.oolw.qwirelessbb.net (avovj.com) [192.159.50.175]:41053 I=[10.0.1.1]:465 P=esmtpsa X=UNKNOWN:AES256-GCM-SHA384:256 CV=no A=login:[email protected] S=5167 [email protected] T="nouvelles" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] 2016-07-09 22:00:32 [2401] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bM4ys-0000aK-QP 2016-07-09 22:00:34 [2401] 1bM4ys-0000aK-QP => [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=4156 H=gmail-smtp-in.l.google.com [74.125.136.27]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com" C="250 2.0.0 OK 1468119641 qt8si326075wjc.22 - gsmtp" QT=4s DT=2s 2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP => [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=4156 H=mta5.am0.yahoodns.net [98.138.112.33]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=*.am0.yahoodns.net" C="250 ok dirdel 4/0" QT=9s DT=7s 2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP -> [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=4156 H=mta5.am0.yahoodns.net [98.138.112.33]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=*.am0.yahoodns.net" C="250 ok dirdel 4/0" QT=9s DT=7s 2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP -> [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=4156 H=mta5.am0.yahoodns.net [98.138.112.33]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=*.am0.yahoodns.net" C="250 ok dirdel 4/0" QT=9s DT=7s 2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP -> [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=4156 H=mta5.am0.yahoodns.net [98.138.112.33]:25 X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no DN="/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=*.am0.yahoodns.net" C="250 ok dirdel 4/0" QT=9s DT=7s 2016-07-09 22:00:39 [2401] 1bM4ys-0000aK-QP Completed QT=9s
The mail from faisal IS accepted and delivered SUCCESSFULLY to the shown gmail and yahoo accounts. An open relay is a nuisance more to those receivers, as they DO get spammed! You only see it in your logs. You will have problems as soon as open relay and spam DBs list you as offender.
any help would be greatly appreciated
This is a more complex matter. You should start by UYFSE to search for terms like "exim open relay" and learn how to configure exim.
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
