Hi All,
Today I found out that yahoo is rejecting all the email from the server. Then I had a quick look the exim mails and realized there were heaps of mails that someone was trying to spam to yahoo / aol / hotmail users. Then I started to delete all of those emails. Below is the extract of the mail headers from one of them. By looking at the email headers it looks like that the the originator was a user on the system. The server is used as an outgoing mail server by few of the customers. Please have a look at below it looks like the user was an authenciated user for popb4smtp.
1JWKiS-0002ym-P9-H
mail 8 12
<[email protected]>
1204589348 2
-helo_name 41.219.218.1
-host_address 127.0.0.1.39110
-host_name localhost
-host_auth login
-interface_address 127.0.0.1.25
-received_protocol esmtpa
-body_linecount 33
-max_received_linelength 76
-auth_id [email protected]
YY [email protected]
YY [email protected]
....
....
....
....
....
....
list goes on n on.
Below are the email headers for this email.
214P Received: from localhost ([127.0.0.1] helo=41.219.218.1)
by server.aegnisolutions.com with esmtpa (Exim 4.69)
(envelope-from <[email protected]>)
id 1JWKiS-0002ym-P9; Tue, 04 Mar 2008 11:09:08 +1100
114P Received: from phpmailer ([41.219.218.1])
by 41.219.218.1 with HTTP (UebiMiau);
Tue, 4 Mar 2008 11:09:07 +1100
037 Date: Tue, 4 Mar 2008 11:09:07 +1100
043* Return-Path: [email protected]
029T To: undisclosed-recipients:;
059F From: "MR. AKANBI RAPHAEL" <[email protected]>
063R Reply-to: "MR. AKANBI RAPHAEL" <[email protected]>
056 Subject: CONTACT THE FEDEX COURIER AT +234-802-970-7488
060I Message-ID: <[email protected]>
014 X-Priority: 3
044 X-Mailer: UebiMiau [PHPMailer version 1.70]
018 MIME-Version: 1.0
032 Content-Transfer-Encoding: 8bit
048 Content-Type: text/html;
charset="iso-8859-1"
There were many emails of this kind. You think someone cracked the password for this user and then tried to send emails that way? IS there is a security setting that I am missing?
Hope to get some assistance on this urgent matter asap as this can happen to any server and any user account.
By looking at the below link, I am a bit confused regarding -host_auth and -auth_id
http://www.exim.org/exim-html-4.10/doc/html/spec_48.html
-host_auth <text>: If the message was received on an authenticated SMTP connection, this records the name of the authenticator - the value of the $sender_host_authenticated variable.
-auth_id <text>: The id information for a message received on an authenticated SMTP connection - the value of the $authenticated_id variable.
Thanks
Rohit
Today I found out that yahoo is rejecting all the email from the server. Then I had a quick look the exim mails and realized there were heaps of mails that someone was trying to spam to yahoo / aol / hotmail users. Then I started to delete all of those emails. Below is the extract of the mail headers from one of them. By looking at the email headers it looks like that the the originator was a user on the system. The server is used as an outgoing mail server by few of the customers. Please have a look at below it looks like the user was an authenciated user for popb4smtp.
1JWKiS-0002ym-P9-H
mail 8 12
<[email protected]>
1204589348 2
-helo_name 41.219.218.1
-host_address 127.0.0.1.39110
-host_name localhost
-host_auth login
-interface_address 127.0.0.1.25
-received_protocol esmtpa
-body_linecount 33
-max_received_linelength 76
-auth_id [email protected]
YY [email protected]
YY [email protected]
....
....
....
....
....
....
list goes on n on.
Below are the email headers for this email.
214P Received: from localhost ([127.0.0.1] helo=41.219.218.1)
by server.aegnisolutions.com with esmtpa (Exim 4.69)
(envelope-from <[email protected]>)
id 1JWKiS-0002ym-P9; Tue, 04 Mar 2008 11:09:08 +1100
114P Received: from phpmailer ([41.219.218.1])
by 41.219.218.1 with HTTP (UebiMiau);
Tue, 4 Mar 2008 11:09:07 +1100
037 Date: Tue, 4 Mar 2008 11:09:07 +1100
043* Return-Path: [email protected]
029T To: undisclosed-recipients:;
059F From: "MR. AKANBI RAPHAEL" <[email protected]>
063R Reply-to: "MR. AKANBI RAPHAEL" <[email protected]>
056 Subject: CONTACT THE FEDEX COURIER AT +234-802-970-7488
060I Message-ID: <[email protected]>
014 X-Priority: 3
044 X-Mailer: UebiMiau [PHPMailer version 1.70]
018 MIME-Version: 1.0
032 Content-Transfer-Encoding: 8bit
048 Content-Type: text/html;
charset="iso-8859-1"
There were many emails of this kind. You think someone cracked the password for this user and then tried to send emails that way? IS there is a security setting that I am missing?
Hope to get some assistance on this urgent matter asap as this can happen to any server and any user account.
By looking at the below link, I am a bit confused regarding -host_auth and -auth_id
http://www.exim.org/exim-html-4.10/doc/html/spec_48.html
-host_auth <text>: If the message was received on an authenticated SMTP connection, this records the name of the authenticator - the value of the $sender_host_authenticated variable.
-auth_id <text>: The id information for a message received on an authenticated SMTP connection - the value of the $authenticated_id variable.
Thanks
Rohit
Last edited: