exim sending spam from external server?

xema

Verified User
Joined
Oct 9, 2007
Messages
13
Need some advice guys, getting this in the exim main log every 5 minutes.
The mailserver in question is one of our customers, however the logs appear on our own mailserver. The customer is a spammer and we'll terminate once we find out what is going on here.
My guess is some script is on our server and he's trying to forward mail from his server to our mailserver? Or, he's directly using our mailserver but it fails? I'm a bit confused here and have never seen anything like this.

xxx.xxx.xxx is the customer's ip.

Disabling port 25 and blocking the ip stops the log entries. I did a search on our mailserver and nothing listening on port 25 when the log entry pops up every 5 minutes and no suspicious process starting either. What are we dealing with here?

2019-03-15 00:05:01 no host name found for IP address xxx.xxx.xxx.xxx
2019-03-15 00:05:01 ReverseDNS: No reverse DNS for mailserver at xxx.xxx.xxx.xxx, +100 Spam score
2019-03-15 00:05:01 H=(xxx.xxx.xxx) [xxx.xxx.xxx] sender verify fail for <[email protected]>: Unrouteable address
2019-03-15 00:05:01 H=(xxx.xxx.xxx) [xxx.xxx.xxx] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2019-03-15 00:05:01 H=(xxx.xxx.xxx.com) [xxx.xxx.xxx] incomplete transaction (connection lost) from <[email protected]>
2019-03-15 00:05:01 unexpected disconnection while reading SMTP command from (xxx.xxx.xxx.xxx) [xxx.xxx.xxx] D=0s
 
The xxxx everywhere is really not helping here. Thjs way we can't see which is your mailserver and which is the abusing mailserver or what is going on at al.
If you want to cloack, use something ilke (95.myserver.ip) and [email protected] or just the real data so it's readable.
The only thing visible now is that something is sending mail for something.
As far as I can see it, it's attempts for incoming spam to your postmaster email address... at least if [email protected] is your server. Does not look like anything initiated from your server.
However, can't be 100% sure if you don't present more clear info.
Looks to me like normal incoming spamming attempts. Just block the ip.

Disabling port 25 stops -every- mail coming in or going out (if you completely blocked it), so also incoming mail from legitimate mailservers so I would not do that.
 

Glad to hear that it is not originating from our mailserver
I hope this makes it more clear.
Mailserver ip is not listed anywhere.

ReverseDNS: No reverse DNS for mailserver at spammerip, +100 Spam score
2019-03-10 08:59:45 H=(spamip.hostname.com) [spammerip] sender verify fail for <[email protected]>: Unrouteable address
2019-03-10 08:59:45 H=(spammerip.hostname.com) [spammerip] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2019-03-10 08:59:45 H=(spammerip.hostname.com) [spammerip] incomplete transaction (connection lost) from <[email protected]>
2019-03-10 08:59:45 unexpected disconnection while reading SMTP command from (spammerip.hostname.com) [spammerip] D=0s

furthermore, I see now that our monitoring server is trying to send email, same message. Does that mean the spammer is trying to fool the mail server into believing we're sending email?
 
I'm still confused as somewhere should be your hostname or email address be stated there. And I only read spammerip and spammer hostname, nothing from your local host.

It is incoming mail, it could be spammers are trying to fool the mail server believing you are sending mail, but I can't see that from these lines. However if you have the newest spamblocker exim.conf in place, this should not be possible anyway.
I also would advise to install blockcracking and easy spamfighter from custombuild which also prevents a lot of rubbish.

As for what your monitoring server is doing, that is not possible to look at without examples. However if he's sending the same mail, it could also be some bouncing setting be in place or something.
So if you don't have the latest spamblocker exim.conf in place then I would advise to start with that.
 
Back
Top