Hello
thank you all.
Unluckly cPanel enviroment allows the usage of /usr/sbin/sendmail as
alternative to
SMTP auth , so the hacker is free to use sendmail to send out spam.
And sendmail is not a symlink (is a binary) and if I replace it with a bash
script , cPanel will fix it with the daily update so it's not a solution.
So , there is no way to configure exim.conf to block outgoing email sent from
cwd=/home/nordic/public_html
?
In this case if the customer is not online to fix his CMS , I need to change
permissions in
/home/nordic/public_html to stop the outgoing activity . This is not a good
solution because in this was his site will be off line.
For this reason I'm searching a way to block only the email sent from
cwd=/home/nordic/public_html
Thank you
Graziano
On Sat, Aug 03, 2019 at 09:25:29AM +0200, DL via Exim-users wrote:
Sometimes one of these accounts using a CMS get hacked, and the hacker is able
to send out spam email using a CMS php vulnerability.
When it happens I see hundred of rows like this below in EXIM log:
2019-07-29 06:40:30 cwd=/home/nordic/public_html 4 args: /usr/sbin/sendmail -t
-i -p125
My question is, may I configure temporarily exim.conf to block any email sent
from:
/home/nordic/public_html
As /usr/sbin/sendmail is usually symlink to Exim, you can substitute it
with wrapper script, i.e. something like:
------------------------------------------------------------------------
#!/bin/sh
case "`pwd`" in /home/nordic/public_html )
cat - > /dev/null ; exit ;;
esac
exec /usr/sbin/exim "$@"
------------------------------------------------------------------------
Put any desired logic here. But note that this approach does not protect
against direct invocation of Exim, forcing SMTP+AUTH might be better.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
