Solved Email send via

castris

castris

Verified User
Joined
Apr 16, 2021
Messages
137
Location
Arcenillas
Last night I had a spam attack where a user is sending spam.

After analyzing the issue:
  • The email accounts do not exist on the server.
  • The email is not authenticated.
  • I can't understand this method of access and sending (understand how it is possible) as it is the first time in my life that I see something like this.




    Is there any solution?
Bash: 
 cat /var/log/exim/mainlog| grep ":25:0:127.0.0.1:1080:socks5:25:"
2025-05-11 23:19:31 1uEFxC-0000000CHzy-3bCH <= [email protected] H=(mail.customer-domain.tld) [165.154.242.35] P=esmtp S=1079 T="mail.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-11 23:19:31 1uEFxC-0000000CI00-3poo <= [email protected] H=(smtp.customer-domain.tld) [165.154.242.35] P=esmtp S=966 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 17:50:36 1uFcj5-00000004BwS-4BTn <= [email protected] H=(mail.customer-domain.tld) [165.154.233.184] P=esmtp S=914 T="mail.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 17:50:36 1uFcj6-00000004BwQ-01DG <= [email protected] H=(smtp.customer-domain.tld) [165.154.233.184] P=esmtp S=888 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 21:44:10 1uFgN8-00000006otG-2Gzf <= [email protected] H=(mail.customer-domain.tld) [172.111.9.180] P=esmtp S=971 T="mail.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 21:45:54 1uFgOo-00000006peY-1KkR <= [email protected] H=(smtp.customer-domain.tld) [172.111.9.180] P=esmtp S=761 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:06 1uFhRq-00000009qGH-22N5 <= [email protected] H=(smtp.customer-domain.tld) [172.111.9.180] P=esmtp S=827 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:06 1uFhRq-00000009qGw-2Jcp <= [email protected] H=(smtp.customer-domain.tld) [172.111.9.180] P=esmtp S=961 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:06 1uFhRq-00000009qGg-2Lac <= [email protected] H=(smtp.customer-domain.tld) [172.111.9.180] P=esmtp S=841 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:07 1uFhRr-00000009qIr-16lU <= [email protected] H=(mail.customer-domain.tld) [172.111.9.180] P=esmtp S=969 T="mail.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:09 1uFhRt-00000009qMV-0r2s <= [email protected] H=(mail.customer-domain.tld) [172.111.9.180] P=esmtp S=926 T="mail.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:09 1uFhRt-00000009qMX-1XYg <= [email protected] H=(mail.customer-domain.tld) [172.111.9.180] P=esmtp S=761 T="mail.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:10 1uFhRu-00000009qPO-0PEK <= [email protected] H=(smtp.customer-domain.tld) [172.111.9.180] P=esmtp S=1055 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:17 1uFhS1-00000009qif-24RQ <= [email protected] H=(smtp.customer-domain.tld) [172.111.9.180] P=esmtp S=998 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:37 1uFhSK-00000009rYU-3xdE <= [email protected] H=(smtp.customer-domain.tld) [172.111.9.180] P=esmtp S=864 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:37 1uFhSL-00000009raR-1GlC <= [email protected] H=(mail.customer-domain.tld) [172.111.9.180] P=esmtp S=715 T="mail.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:39 1uFhSN-00000009rfU-2b3i <= [email protected] H=(smtp.customer-domain.tld) [172.111.9.180] P=esmtp S=806 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
2025-05-15 22:53:40 1uFhSO-00000009rjO-3HGA <= [email protected] H=(mail.customer-domain.tld) [172.111.9.180] P=esmtp S=936 T="mail.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]
 
Hello,

Either the IP is whitelisted on your server or is authenticated via POP or even SMTP. An authenticated user might forge email accounts used in From header. You might customize Exim to force match authenticated user and an user in From-header

castris said:
172.111.9.180
Click to expand...
 
Hi.

I can't understand how it could be allowed in DirectAdmin unless it explicitly permitted unauthenticated email:

1. The two IPs have no trace of LOGIN in either POP/IMAP or EXIM.
2. Instead, you only see this issue: 'smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:'

There are no logins, no traces of the IPs in /etc or /var/log except for those.


A problem of security IMHO

Bash: 
cat /var/log/exim/mainlog| grep  1uFhRu-00000009qPO-0PEK
2025-05-15 22:53:10 1uFhRu-00000009qPO-0PEK <= [email protected] H=(smtp.customer-domain.tld) [172.111.9.180] P=esmtp S=1055 T="smtp.customer-domain.tld:25:0:127.0.0.1:1080:socks5:25:" from <[email protected]> for [email protected]

2025-05-15 22:53:10 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1uFhRu-00000009qPO-0PEK

2025-05-15 22:53:10 1uFhRu-00000009qPO-0PEK failed to expand condition "${if and{{bool_lax{${perl{check_limits}}}}{bool_lax{${if or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}}}}}}" for static_route router: You (casadele) have reached your daily email limit of 2000 emails

2025-05-15 22:53:10 1uFhRu-00000009qPO-0PEK failed to expand condition "${perl{check_limits}}" for lookuphost router: You (casadele) have reached your daily email limit of 2000 emails

2025-05-15 22:53:10 1uFhRu-00000009qPO-0PEK ** [email protected] F=<[email protected]>: Unrouteable address

2025-05-15 22:53:10 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1uFhRu-00000009qPO-0PEK

2025-05-15 22:53:10 1uFhRu-00000009qQB-1ORl <= <> R=1uFhRu-00000009qPO-0PEK U=mail P=local S=2427 T="Mail delivery failed: returning message to sender" from <> for [email protected]

2025-05-15 22:53:10 1uFhRu-00000009qPO-0PEK Completed
 
A lot of thanks zEitEr

A mistake for a co worker, put domain in whitelist for a problem with mail.
I didn't know the mechanism of DirectAdmin regarding those files, and I didn't imagine they could be used to exploit them like that.

Lesson learned.

Thank you very much.
 
You must log in or register to reply here.
Back
Top