Hi, 2015-08-20 23:22, emkay wrote:
on 20.08.15 21:29 Rimas Kudelis wrote:
2015-08-20 13:35, emkay wrote:
I’m having a weird issue with my server running exim4u 2.1.1 on Debian Squeeze and I just can’t get my head around this. I know this might be more of an Exim question but since I use Exim4u I’ll try my luck here first.
the problem: For a few days now I have one single user sending out spam mails. Not many - only about 5x a day. All sent to the domain’s aliases and one other local domain. But: they seem to 'multiply' because simultaneously the same rubbish is sent from multiple external IPs to what seems to be his whole addresses book, using his account’s email address as sender.
I don't really understand this last sentence. Care to clarify?
At the same time when these (few) mails are being sent from my machine to local users there are remote 'JoeJobs' that are sending out mail from other IPs using the local user's mail address. Sounds silly, I know.
As you probably know, faking the "From:" header is very easy. If somebody is faking this header and uses third-party servers to send spam, there is only so much you can do. You may want to explore DMARC and similar initiatives, but that's about it.
In the meantime I've discovered this might be a larger operation involving a possible security breach at Telekom, a large local (german) provider. https://www.google.de/search?q=WORLDST-UQ3K9Q0 Seems to be a local issue (atm) so most info is in german. There seem to be a lot of similar cases. Same procedure, same HELO and subjects used and same clueless admins trying to figure out how the mail was sent.
Again, in your place, I would first of all limit my concern to my own server and users. You should make sure that _your_ server hasn't been compromised first of all.
My last glimps of hope: I noticed in the exim mainlog that the rogue connections used „P=esmtps“: 2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.com H=s115.panelboxmanager.com [184.107.100.85] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303 id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important"
Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated user sends out mail. http://www.gossamer-threads.com/lists/exim/users/98628#98628
So my question is: does the 'missing a' indicate that the mail was sent without authentication? could this be an Exim/Exim4U ACL issue/misconfiguration?
It would be great to get some feedback or hints regarding this because neither the spamming pattern (local / remote) nor the password-change-ignoring connections make any sense to me.
You're probably right about authentication not happening, but this is normal in your case – mail servers in general only require authentication when sending messages OUT, not IN (and you wrote above that the spam is coming IN). This is how e-mail works.
I think you got me wrong: user(a)example.com is the local user. And "he" is sending out mails that he shouldn't. And if "P=esmtps" means he's doing it without authentication then that's not how e-mail should work. ;)
So am I right to asume they manage to do it without authentication?
Yes, I suppose so (you have already looked it up, there's no need for me to do the same). However, your first message says "All sent to the domain’s aliases and one other local domain", so I assume you are talking about spam delivered to your server's local mailboxes, hence the direction is IN. And if that is correct, then not requiring authentication is the expected behavior, because that's how SMTP servers talk to each other. Rimas