Hi Rimas, on 20.08.15 21:29 Rimas Kudelis wrote:
Hi Mika,
2015-08-20 13:35, emkay wrote:
I’m having a weird issue with my server running exim4u 2.1.1 on Debian Squeeze and I just can’t get my head around this. I know this might be more of an Exim question but since I use Exim4u I’ll try my luck here first.
the problem: For a few days now I have one single user sending out spam mails. Not many - only about 5x a day. All sent to the domain’s aliases and one other local domain. But: they seem to 'multiply' because simultaneously the same rubbish is sent from multiple external IPs to what seems to be his whole addresses book, using his account’s email address as sender.
I don't really understand this last sentence. Care to clarify?
At the same time when these (few) mails are being sent from my machine to local users there are remote 'JoeJobs' that are sending out mail from other IPs using the local user's mail address. Sounds silly, I know. In the meantime I've discovered this might be a larger operation involving a possible security breach at Telekom, a large local (german) provider. https://www.google.de/search?q=WORLDST-UQ3K9Q0 Seems to be a local issue (atm) so most info is in german. There seem to be a lot of similar cases. Same procedure, same HELO and subjects used and same clueless admins trying to figure out how the mail was sent.
My last glimps of hope: I noticed in the exim mainlog that the rogue connections used „P=esmtps“: 2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.com H=s115.panelboxmanager.com [184.107.100.85] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303 id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important"
Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated user sends out mail. http://www.gossamer-threads.com/lists/exim/users/98628#98628
So my question is: does the 'missing a' indicate that the mail was sent without authentication? could this be an Exim/Exim4U ACL issue/misconfiguration?
It would be great to get some feedback or hints regarding this because neither the spamming pattern (local / remote) nor the password-change-ignoring connections make any sense to me.
You're probably right about authentication not happening, but this is normal in your case – mail servers in general only require authentication when sending messages OUT, not IN (and you wrote above that the spam is coming IN). This is how e-mail works.
I think you got me wrong: user(a)example.com is the local user. And "he" is sending out mails that he shouldn't. And if "P=esmtps" means he's doing it without authentication then that's not how e-mail should work. ;) So am I right to asume they manage to do it without authentication?
The fact that these messages are sent from an your user's e-mail address might mean that: a) the sender expects that the recipients will be more likely to read it (due to the message appearing as being from same domain/from user in the address book) b) (and you should really test this theory) your mail server might be skipping spam checks on messages which it considers as sent from local users.
I had a similar issue a couple years once: someone's account was compromised, and our server became a spamming machine. I can't remember whether or not it happened more than once, but when I decided to debug this problem, the issue turned out to be that I had disabled spam checking on messages originating from 127.0.01, and the spammer used our webmail service running on the same server to send the spam. Once I figured that out, I configured Exim to also test messages originating from www-data user, and the problems stopped.
Hope this helps, Rimas
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users