Exim problem
Teddy Mills
teddymills-VFlxZYho3OA at public.gmane.org
Thu Dec 11 05:06:14 UTC 2003
I just went through a few weeks of security and server hell.
I would save you some pain.
A.
Get a seperate firewall box if you do not currently have one.
I would recommend running your servers behind the firewall with a NAT
address. (ie. no bastion servers) (opinions will vary here)
I chose the SmoothWall 2.0. I one happy admin now with my network, server
setup. (ask me how happy :)
B.
use tcpdump or lsof -i other other network tools to see what remote
connections are there during these spammings.
C.
blocking out just that one spammer network block or IP is useless. since it
doesnt fix the systemic problem with security.
D.
Review your system top down for security and reset all passwords in the
system. You can maybe skip this step, but thats your call.
E.
Others in this list more qualified than I may save you (and I) some future
steps or caveats.
----- Original Message -----
From: "Alan Cohen" <alan-QVObF66B6qeOg/Yh5kgvkFaTQe2KTcn/@public.gmane.org>
To: <tlug-lxSQFCZeNF4 at public.gmane.org>
Sent: Wednesday, December 10, 2003 11:45 PM
Subject: [TLUG]: Exim problem
> Hello all
>
> I'm having a heck of a problem. My system supposedly does not allow
> unauthorized relaying, yet Exim V4 is apparently sending out hundreds
> and hundreds of messages (to persons-YDxpq3io04c at public.gmane.org).
>
> - It would seem they are "from" apache-WYle8UNbkfMGClDRh0WFwpAGcjtitEbrAL8bYrjMMd8 at public.gmane.org
> - Their source is P=local (not smtp) Somehow, these messages are
> originating from my system. (not relayed from somewhere else)
>
> - Local user p911-alan is the first recipient. His message shows that
> there is one (and only one) additional "To" who is a non-existent
> person-PyrWk/hl1m8sac7YOPP9X1aTQe2KTcn/@public.gmane.org
> - /var/log/exim/main.log shows a heck of a lot of other people are being
> sent that same message
>
> Does anyone have any suggestions?
> I'd sure like to know how this guy is doing it...
>
>
> exigrep extract re: 2003-12-10 22:05:56 1AUH9I-0000Eb-Qr
>
> <= apache-WYle8UNbkfMGClDRh0WFwpAGcjtitEbrAL8bYrjMMd8 at public.gmane.org U=apache P=local S=3387 T="Adobe
Photoshop"
>
> lowest numbered MX record points to local host: www.perimeter911.com
>
> == cristi898-PyrWk/hl1m8sac7YOPP9X1aTQe2KTcn/@public.gmane.org R=lookuphost defer (-1):
> lowest numbered MX record points to local host
>
> => p911-alan <answers-I2tnHk3vA3RB9i3/4EaAEw at public.gmane.org> R=local_director
T=maildir_delivery
>
> Remote host mailin-02.mx.aol.com [205.188.159.57] closed connection in
> response to end of data
>
> => mawwwwwwww-YDxpq3io04c at public.gmane.org R=lookuphost T=remote_smtp H=mailin-02.mx.aol.com
[205.188.159.57]
> -> gwbw2-YDxpq3io04c at public.gmane.org R=lookuphost T=remote_smtp H=mailin-02.mx.aol.com
[205.188.159.57]
> -> ..and hundreds of more recipient-5uyhOP+zmq2tXF2fZOsJYA at public.gmane.org
>
>
> --
> -------------------------------------- Please do not respond in HTML
> Alan Cohen alan-QVObF66B6qeOg/Yh5kgvkFaTQe2KTcn/@public.gmane.org
> voice: 416-783-9826
> fax: 240-269-7457
>
> --
> The Toronto Linux Users Group. Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>
>
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list