Exim spam - esmtps can't solve it

T

TonyF

Verified User
Joined
Aug 5, 2014
Messages
31
Hi,

I have tried all topics I could find but nothing helps me eliminate the spam that gets through my server. This server is designed to NOT use email accounts, only send email generated on webforms. SpamBlocker 4.5.4 etc is installed.

See logs for info. Can anyone please help me with this? I want to ELIMINATE ALL ACCESS which does not use authentication, as this clearly is...


2017-06-16 01:28:23 1dLeBa-0001t3-WB <= [email protected] H=(IP-223-11) [46.183.223.11] P=esmtps X=TLSv1:DES-CBC3-SHA:168 CV=no S=1223 id=029e7fc8-42902-01381029703819@ip-223-11 T="Re: Greetings" from <[email protected]> for [email protected]
2017-06-16 01:28:23 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1dLeBa-0001t3-WB
2017-06-16 01:28:24 1dLeBa-0001t3-WB => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1254 H=mx1.hotmail.com [104.44.194.236] X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=yes C="250 <029e7fc8-42902-01381029703819@ip-223-11> Queued mail for delivery"
2017-06-16 01:28:24 1dLeBa-0001t3-WB Completed
2017-06-16 01:28:26 1dLeBe-0001t7-1f <= [email protected] H=(IP-223-11) [46.183.223.11] P=esmtps X=TLSv1:DES-CBC3-SHA:168 CV=no S=1268 id=029e7fc9-42902-01391029996759@ip-223-11 T="Re: Greetings" from <[email protected]> for [email protected]
2017-06-16 01:28:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1dLeBe-0001t7-1f
2017-06-16 01:28:27 1dLeBe-0001t7-1f => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1300 H=aspmx.l.google.com [173.194.69.26] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1497569307 b28si400037eda.91 - gsmtp"
2017-06-16 01:28:27 1dLeBe-0001t7-1f Completed
2017-06-16 01:28:27 SMTP connection from (IP-223-11) [46.183.223.11] lost while reading message data (header)
2017-06-16 01:28:57 1dLeC9-0001tQ-17 <= [email protected] H=(IP-223-11) [46.183.223.11] P=esmtps X=TLSv1:DES-CBC3-SHA:168 CV=no S=1264 id=029e7fcb-42902-013b1033655208@ip-223-11 T="Re: Greetings" from <[email protected]> for [email protected]
2017-06-16 01:28:57 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1dLeC9-0001tQ-17





LIST OF THINGS I TRIED:
- da-popb4smtp was alreay disabled (which it is by default). And I have checked, buy the pophosts list is empty.
- exim.pl is already version 21.
- exim.conf is with spamblocker 4.5.4
- exim.conf #EDIT#25 (acl_check_helo) is in place.
- CSF/LFD both running
- Mailradar test: Port 25 is Open at xx.xx.xx.xx... All tested completed! No relays accepted by remote host!
- SMTP_BLOCK in CSF was set to off, have set it to ON but this disabled my users using an external smtp server for sending form generated mails
- Easy spam fighter and Blockcracking is on

CHANGES I PREVIOUSLY MADE TO EXIM IN A OTHERWISE DEFAULT INSTALL:
1. to let is use a different IP-address then the servers ip, following this: https://help.directadmin.com/item.php?id=152
2. Added this, found in first post near end here: http://forum.directadmin.com/showthread.php?t=43500
The part with: # Prevents unencrypted mail submission.

FURTHER INFO:
- there are no mail addresses in any user account, other than a catch-all or forwarder. ALL users use externally hosted email.
 
Last edited:
only send email generated on webforms
Click to expand...
and
I want to ELIMINATE ALL ACCESS which does not use authentication,
Click to expand...
You can't have both unless you have webforms which can use smtp authentication. In that case turn of php mail and only use smtp authentication.

Check this too:
https://help.directadmin.com/item.php?id=467

Another thing is you might want to upgrade to spamblocker version 4.5.5 and the newest exim.pl (version 21).
Because I see these things:
H=(IP-223-11) [46.183.223.11]
Click to expand...
This HELO/EHLO is not a valid FQDN name and should be blocked already before being able to send mail.
 
I see I was not very clear, excuse me. What I meant was: i do not even use any mail accounts on the server. Server is only used for hosting web, and does send email but only mail that is generated on websites.

I then find it strange to see the server being used for sending mail, even without authentication, while there not being any mail accounts at all.

Richard G said:
This HELO/EHLO is not a valid FQDN name and should be blocked already before being able to send mail.
Click to expand...

Which rule should prevent this? This should already be prevented in previous versions right? Of course I am updating now.


But, the problem lies elsewhere. With default settings, a server should not be able to be used as a mail relay at all right? How come mine is?
 
da-popb4smtp was alreay disabled (which it is by default). And I have checked, buy the pophosts list is empty. Must be, since there are no popaccounts on the server.
 
exim.pl is already version 21.
exim.conf is with spamblocker 4.5.4, which I will update any minute.

But this should not be able to happen with those versions, right? I think they use a loophole which might concern MANY others.
 
Which rule should prevent this? This should already be prevented in previous versions right?
Click to expand...
Edit 25 should do this. I'm not sure if previous versions should prevent this too. I guess but I'm not sure because I can't look into previous versions, that's why I suggested to upgrade first.

Check with mailradar.com/openrelay if you don't have an open relay.

I presume you also activated easy spam fighter and blockcracking?
Do you have CSF/LFD running?

Also check this:
https://help.directadmin.com/item.php?id=455

There must be something wrong because if this would concern many others, there would be a lot of us having the same issue already.
 
- #EDIT#25 (acl_check_helo:) is in place.
- CSF/LFD both running.
- Mailradar test: Port 25 is Open at xx.xx.xx.xx... All tested completed! No relays accepted by remote host!
- SMTP_BLOCK in CSF was set to off, have now set it to ON and see if this helps? (on my other servers - i have more than one - this is set to off and these problems have not occured to me before).
- How to check if easy spam fighter and blockcracking is on?

There must be something wrong because if this would concern many others, there would be a lot of us having the same issue already.
Click to expand...
I tend to agree indeed.. But seeing as I have changed nothing to the email config of this server, and have other servers running which do not present this issue, I have difficulty finding what is wrong...
 
How to check if easy spam fighter and blockcracking is on?
Click to expand...
Go to /usr/local/directadmin/custombuild and check options.conf if you enabled it.
There is surely some way to check with Exim but I don't know how to be honest.

- SMTP_BLOCK in CSF was set to off, have now set it to ON and see if this helps?
Click to expand...
It should not be set to ON but to 1. Like this:
Code: 
SMTP_BLOCK = "1"
I have this setting on all my servers, it's by default this way if you install CSF/LFD with the install_directadmin.sh install script. If I remember correctly.
This way no mail can be send anymore via SMTP except mail by Root, Exim and Mailman.
I would strongly advise to use this setting on all your servers, because you don't want anyone to use your smtp bypassing Exim.

This setting is however also very important:
SMTP_ALLOWLOCAL = "1"
Which allows sending from scripts like contact forms, forums and such, allowing php mail() through.

You could set this to:
Code: 
SMTP_ALLOWLOCAL = "0"
preventing scripts from sending out mail.
Normally in the logs when spammers are busy, you will get errors now or you will get notices from CSF/LFD, this might be very helpfull to what account or what script is causing the problem.
If you find it and you want scripts to be able to send mail out, you can always change this back to 1.
However it's more safe to have users use smtp auth with their scripts if possible.
 
Richard G said:
Go to /usr/local/directadmin/custombuild and check options.conf if you enabled it.
Click to expand...
Thanks. It is enabled (by default) and is also enabled in my case.

Richard G said:
It should not be set to ON but to 1
Click to expand...
This was not default in all my installations. Have tried it on one server now but this leads to an issue, since then a wordpress-site (which uses Postman SMTP plugin since it uses the smtp of another server) can't send mails. So disabled it again.

Richard G said:
This setting is however also very important: SMTP_ALLOWLOCAL = "1"
Click to expand...
I can't have spam_block enabled since it hinders my users. But, what should allowlocal be set to then? Does not matter right?

I still do not understand how anyone could use my server to send mail. That can't even happen by default and I didn't change anything... I just looked back at my install log (of which I keep a manual record), and see that I specifically enabled eximconf, eximconf_release 4.4, blockcracking, easy_spam_fighter, spamasssasin through custombuild.

I did change something manually to my exim configuration, which is:
1. to let is use a different IP-address then the servers ip (to be able to switch this one if it might end up on a blacklist and thus secure deliverability for my clients). Did this by adding 'interface = xx.xx.xx.xx' to remote_smtp part in exim.conf.
2. I also added this:
Code: 
  accept  encrypted     = *
  drop    message       = Your connection is not secured.
          log_message   = Connection from \
                          [$sender_host_address]($authenticated_id) was \
                          not encrypted.
To give my users a notice when they would use mail on this server but use it unencrypted. This can go since I do not use any mailaccounts on this server.

Who can chime in?
 
since then a wordpress-site (which uses Postman SMTP plugin since it uses the smtp of another server) can't send mails. So disabled it again.
Click to expand...
Uses smtp of another server? Doesn't make a difference, because you can configure that a few lines lower by either:
SMTP_ALLOWUSER = ""
or
SMTP_ALLOWGROUP = "mail,mailman" (add the postman plugin here if possible).
It still protects the rest of your server then. So I still strongly suggest to have that set to 1.

I can't have spam_block enabled since it hinders my users. But, what should allowlocal be set to then? Does not matter right?
Click to expand...
You mean smtp-block. But as you can see from my explanation, yes you can!
If you don't, then the "allowlocal" setting does indeed makes no difference, that is correct.

I still do not understand how anyone could use my server to send mail.
Click to expand...
I don't know if your edits were done the correct way or if changing the ip makes any difference for people to be able to send mail.
It's however fairly easy to send spam from your system to your existing users.

That's why that helo check is also so important, and I still wonder why this check is not working.
Since you have made some changes, maybe Sellerone, Zeiter or SMTalk can check this out and put the finger on the spot for you.
 
Surely these are things to consider, but whether I set smtp-block to on or off (0 or 1), it should not be able to be used as an open relay (the test on the other site confirmed this). Right?

Also, most all users use the smtp of another server (let's say they all use their own gmails smtp to send mail from sites) - I have set it up this way so the server ip can never be seen as spammer, since it is hardly used, only for 1-2 clients to forward mails to their other mail addresses. It is a strange coincidence that exactly this server can be used by spammers. And is not an open relay if i can believe the check...

any changes made are done in a way that directadmins help files provided me.
 
Can anyone point me in the right direction or have any follow up steps I can check and do?
 
Can you recap what you've tried, where you're at, and your current concern? I read through the thread but it's been a bit hard to follow.

Are you 100% sure there isn't a compromised account being used? Maybe reset passwords for all user accounts.
 
@adam12 and all: I updated the first post to recap everything. Does this help?
 
Just to get something else clear. Ar the okstate.edu and aristech.com domains residing on your server?
 
TonyF said:
@adam12 and all: I updated the first post to recap everything. Does this help?
Click to expand...

Any luck with my question about passwords? I'm pretty sure system accounts can login and transmit via SMTP, without an explicit email account being created.

I'm not discounting what you've done thus far, but it would suck to find out a commonly used login name was using a simple password and all these changes were moot.
 
@Richard G: Sent you a pm.

@Adam12: would it not show in the logs through which user this was sent? Also, in the tally which shows how much mail was sent by a user (/CMD_ALL_USER_SHOW), there is no user to which these mails are added. I can reset the passwords, but it would be a big inconvenience for my some of my users. So, would it not show in the tally and in the logs if a user was used? (all users are added by ME, with passwords generated by DA)
 
I got the pm and tested, your server is indeed an open relay, but not the normal way.
Normally people can connect on port 25 and the open relay works that way.

I investigated and found out that your server refuses the mail because it is not encrypted. Once I've seen that, I tried sending mail via port 587 without any verification. You can check the logs, you will find my name a couple of times, some test domains of me and my company domain. Please don't post them public.

Anyway, I was able without any issue to send mail via port 587 to my self.

This explains why the test said it was no open relay, they only test port 25 and then the connection is refused. MXtoolbox test was better and defined there was a possible open relay.

It should be fixed as soon as smtp authentication is active which is not the case at the moment.

Check if /etc/exim.variables.conf.custom exists if not, create it and add this line:
Code: 
hostlist relay_hosts=
After that, restart Exim and you should be fine.

If it does already exist, then I hope Zeiter or SMtalk can explain this or you might want to send in a ticket to DA to point them at this thread and the issue.

P.s. that is also the reason that you don't see any user in the logs and you won't see it in the DA panel. It's all happening from external source and bypassing directadmin completely. Just (ab)using the mail system. That's also why I initially already thought of an open relay.
 
Last edited:
You must log in or register to reply here.
Back
Top