Hi Andreas, You need to check your exim logs to see how these emails are arriving on your server. Exim4U's stock configuration is NOT an open relay and so, unless you have modified Exim4U's configuration, then the spam emails are most probably arriving as having been generated by authenticated user logins. Unfortunately, this hack is quite common since spammers routinely conduct dictionary attacks on SMTP and IMAP ports to obtain valid user authentication credentials. On most servers, the SMTP and IMAP authentication credentials typically use the same username/password for a given user. When successful, these dictionary attacks will yield user credentials that can subsequently be used for spamming from your server whereby the spammer masquerades as a valid authenticating user. Look at your logs. For authenticated mail, the originating log entry should look like this: 2011-05-11 22:10:44 1QKLMS-0000lx-Gp <= valid_user(a)domain.com H=(k12-46eb5b203aa) [50.8.80.139] P=esmtpa A=fixed_login:valid_user(a)domain.com S=1340 id=CHILKAT-MID-b8da5a7e-6034-b3f6-7b3a-df92b3486c1b(a)k12-46eb5b203aa T="Spammer's Subject Title" Note the "A=fixed_login:" in the above log entry denoting a valid authenticated user. In the above example, valid_user(a)domain.com will be a valid user on your mail server. Once you establish whose login credientials have been compromised then you should change those user's passwords and your problem will be solved. The best way to defend against dictionary attacks is to use fail2ban or similar software for ratelimiting SMTP and IMAP authentication failures. I have used fail2ban for quite a while and it is a very reliable product that does the job well. So, when dictionary attacks do occur, you can limit the number of attempted logins to a reasonably small number that typically will not yield any results for the spammer. If, on the other hand, your logs indicate that the mail is being relayed then someone has most probably modified the stock Exim4U configuration file and you need to reverse those modifications. Also, review the contents of the exim4u_relay_from_hosts file to make sure that you are not allowing the relays via that file. FYI, Gordon On 06/16/2011 08:53 AM, Andreas Westvik wrote:
So Im having a smtp problem. Someone is trying to use my server as a relay for spam mail. Now, my host is blocking port 25 for outgoing mail, so its really not working. But I want to stop SMTP in exim4. But Im not sure how to do this with exim4u.
Here is a forum thread I made in the debian forums. http://forums.debian.net/viewtopic.php?f=5&t=65526&p=376626#p376626
Anyone know how to do this?
-Andreas _______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users