exim.pl not counting forged "from"

L

luck

Verified User
Joined
May 24, 2011
Messages
30
Hello,
I've noticed that exim.pl (v17) is not couting messages sent from PHP with forged "from" - like that:

mail('[email protected]','a','b',null,'-f [email protected]');

That means spammer can sent unlimited number of emails as limits wont be hit.
Also if we change xyz.com with a different domain that exists on the same server - counter will increment for that domain owner!

Any advice?

Thanks
 
Hello,

Thanks for the report.

1) Which PHP type is used?

- mod_php without mod_ruid2
- mod_php with mod_ruid2
- suPhp
- php-fpm
- fastcgi

2) Are you referring to the numerical count in the /etc/virtual/usage/username file, or the actual log in /etc/virtual/usage/username.bytes? (or both)

3) are you seeing anything being logged to the "unknown" user in /etc/virtual/usage for the give php script?

John
 
> Which PHP type is used?

- php-fpm

> Are you referring to the numerical count in the /etc/virtual/usage/username file, or the actual log in /etc/virtual/usage/username.bytes? (or both)

I referr to both - if I forge -f neither counter is incremented nor *.bytes.

> are you seeing anything being logged to the "unknown" user in /etc/virtual/usage for the give php script?

Yes - that kind of e-mail is beeing loged for unknown user:

545=type=email&[email protected]&method=outgoing&id=1X9tKo-0006Ac-PW&authenticated_id=&sender_host_address=172.16.0.12&log_time=1406109582&message_size=545&local_part=testtest&domain=gmail.com&path=/root
 
Hmm.. just tested here, but didn't get the same result. The correct user.bytes was filled.

In any case, I think we could try something.. since most people run php as the User these days (and not "apache"), so try this:

Edit the /etc/exim.pl, and find the section
Code: 
sub find_uid
{
        my $uid = Exim::expand_string('$originator_uid');
        my $username = getpwuid($uid);
        my $auth_id = Exim::expand_string('$authenticated_id');
        my $work_path = $ENV{'PWD'};


        if ($username eq "apache" || $username eq "nobody" || $username eq "webapps")
        {
                $uid = find_uid_apache($work_path);
                if ($uid != -1) { return $uid; }
        }
[COLOR=#B22222]
[/COLOR]        $uid = find_uid_auth_id($auth_id);

        if ($uid != -1) { return $uid; }

        # we don't want to rely on this, but it's all thats left.
        return find_uid_sender;
}
and to test, try this extra code:
Code: 
sub find_uid
{
        my $uid = Exim::expand_string('$originator_uid');
        my $username = getpwuid($uid);
        my $auth_id = Exim::expand_string('$authenticated_id');
        my $work_path = $ENV{'PWD'};


        if ($username eq "apache" || $username eq "nobody" || $username eq "webapps")
        {
                $uid = find_uid_apache($work_path);
                if ($uid != -1) { return $uid; }
        }

[COLOR=#008000]        if ([/COLOR][COLOR=#008000]$username ne "" && [/COLOR][COLOR=#008000] -d "/usr/local/directadmin/data/users/$username" )[/COLOR]
[COLOR=#008000]        {[/COLOR]
[COLOR=#008000]                return $uid;[/COLOR]
[COLOR=#008000]        }[/COLOR]


        $uid = find_uid_auth_id($auth_id);
        if ($uid != -1) { return $uid; }

        # we don't want to rely on this, but it's all thats left.
        return find_uid_sender;
}
as anyone who looks like a DA user, is a DA User, regardless of anything else.
Since users is a+x, that should work.


If confirmed, I'll add it in, and bump to version 18.

John
 
Ok - so that did not help.

We've debbuged it and:
username = mail
uid = 12
auth_id =

Can't see any variable that we can use to recognize user.

You must know that e-mails are being transported to "main" exim from php-server which does relay.

As a matter of fact I can't see real username anywhere in the logs nor headers (if also forged - otherwise it says 'User xxx')

Advice?
 
Might be a whitelist somewhere.
Check:
Code: 
/etc/virtual/whitelist_domains/etc/virtual/whitelist_from
/etc/virtual/whitelist_hosts
/etc/virtual/whitelist_hosts_ip
/etc/virtual/whitelist_senders
to make sure they're all 0 bytes.

Also check the /etc/exim.conf, make sure your relay_hosts line looks like this:
Code: 
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts
as older system also had 127.0.0.1 which allowed open relay, which is bad, hence removed.

Lastly, if it's already in the mail queue, then the auth may have been at some other time.. as retries are done as mail.
Check the log for *all* message IDs for the given message, eg:
Code: 
cd /var/log/exim
grep MESSAGE-ID mainlog*
where you'd replace MESSAGE-ID with the unique ID for that message, found in the headers/logs.

John
 
Can you clairify your setup? This may greatly change what we're after:
Yes it is whitelisted as Directadmin server is open relay for the local trusted dedicated PHP server.
Click to expand...
If I'm reading this correctly, some other server is generating the email, and DA is only relaying this email?
If that's correct, and the sending domain doesn't exist on the relay box, then no counting would take place on the DA box..

I'm guessing that I'm not fully understanding the setup, as once they're are whitelists for external servers, those external servers are not limited by anything.. hence the "whitelist".

John
 
You must log in or register to reply here.
Back
Top