How protect your Exim good ?

[paisley]

I see this in the mail queque:
251P Received: from 223-141-130-215.dynamic.hinet.net ([223.141.130.215] helo=FASTERMAIL.COM)
by myserver.com with esmtp (Exim 4.76)
(envelope-from <[email protected]>)
id 1WgNCT-0000xO-Sq
for [email protected]; Sat, 03 May 2014 01:49:06 +0200
035F From: "Ekaterina" <[email protected]>
025T To: <[email protected]>
039 Subject: Hi, do you have a web camera?


Can they use my exim server with HELO or how can i protect from this abuse types ?

 

[zEitEr]

Hello,

And what domain do you host on your server: somesite.com or somesite.biz? Did you check your mail logs, use exigrep for it.

 

[paisley]

The domains are not hosted on my server.
They use my server (by myserver.com with esmtp (Exim 4.76)) for the SPAM without that they exist on the server.
How can i prevent from this SPAM ?

 

[zEitEr]

If to believe mail headers then the email was not originated from your server. If you don't want to receive SPAM, you porbably need to:

1. install/enable SpamAssassin http://help.directadmin.com/item.php?id=36
2. enable RBL http://help.directadmin.com/item.php?id=142 (or enable it as admin in administrator settings page)
3. enable sender user verification in /etc/exim.conf

 

[Spook]

Hi,
I enabled RBL in DA a week ago or so. Is there particular log file which allows observation of RBL checking? ..or in msg headers?

I've breifly poked around in all the logs for signs of the RBL doing something but so far haven't found anything.

At this stage, just DA with RBL "Yes" -- no spamassassin enabled.

 

[nobaloney]

/var/log/exim/rejectlog

 

[Spook]

Thanks for the direction, Jeff.

Off hand I can't really tell any difference from before activating the RBL. Tons of entries such as "Incorrect authentication data" and "authentication required" the others are few and far between.

Will I perhaps only see an RBL related entry only when an inbound email to a valid recipients? ..or are there some RBL use indicated in the log sample below?

[PLAIN]
2014-05-04 06:28:07 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=backup)
2014-05-04 06:28:09 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=backup)
2014-05-04 06:28:12 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=backup)
2014-05-04 06:28:14 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=backup)
2014-05-04 06:28:16 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=backup)
2014-05-04 06:28:18 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=backup)
2014-05-04 06:28:20 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=order)
2014-05-04 06:28:22 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=order)
2014-05-04 06:28:24 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=order)
2014-05-04 06:28:26 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=order)
2014-05-04 06:28:28 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=order)
2014-05-04 06:28:31 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=order)
2014-05-04 06:28:33 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=webmaster)
2014-05-04 06:28:35 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=webmaster)
2014-05-04 06:28:37 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=webmaster)
2014-05-04 06:28:39 login authenticator failed for zulu1623.startdedicated.com (localhost) [188.138.121.67]: 535 Incorrect authentication data (set_id=webmaster)
2014-05-04 15:04:26 H=118-161-77-114.dynamic.hinet.net (xxx.xxx.xxx.xxx) [118.161.77.114] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-04 15:09:30 H=118-161-77-114.dynamic.hinet.net (xyx.xyx.xyx.xyx) [118.161.77.114] F=<[email protected]> rejected RCPT <[email protected]>: authentication required

~

2014-05-05 07:16:49 login authenticator failed for (xxx.xxx.xxx.xxx) [189.254.227.35]: 535 Incorrect authentication data (set_id=michael)
2014-05-05 07:17:10 login authenticator failed for (xyx.xyx.xyx.xyx) [189.254.227.35]: 535 Incorrect authentication data (set_id=michael)
2014-05-05 07:17:22 login authenticator failed for (xxx.xxx.xxx.xxx) [189.254.227.35]: 535 Incorrect authentication data (set_id=admin9)
2014-05-05 07:17:41 login authenticator failed for (xyx.xyx.xyx.xyx) [189.254.227.35]: 535 Incorrect authentication data (set_id=admin9)
2014-05-05 07:17:53 login authenticator failed for (xxx.xxx.xxx.xxx) [189.254.227.35]: 535 Incorrect authentication data (set_id=ms)
2014-05-05 07:18:11 login authenticator failed for (xyx.xyx.xyx.xyx) [189.254.227.35]: 535 Incorrect authentication data (set_id=ms)
2014-05-05 07:18:23 login authenticator failed for (xxx.xxx.xxx.xxx) [189.254.227.35]: 535 Incorrect authentication data (set_id=contact)
2014-05-05 07:18:42 login authenticator failed for (xyx.xyx.xyx.xyx) [189.254.227.35]: 535 Incorrect authentication data (set_id=contact)
2014-05-05 07:18:54 login authenticator failed for (xxx.xxx.xxx.xxx) [189.254.227.35]: 535 Incorrect authentication data
2014-05-05 07:19:12 login authenticator failed for (xyx.xyx.xyx.xyx) [189.254.227.35]: 535 Incorrect authentication data
2014-05-06 14:12:06 H=114-37-1-31.dynamic.hinet.net (xyx.xyx.xyx.xyx) [114.37.1.31] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-06 14:15:47 H=114-37-1-31.dynamic.hinet.net (xxx.xxx.xxx.xxx) [114.37.1.31] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-07 02:03:56 H=114-37-1-31.dynamic.hinet.net (xyx.xyx.xyx.xyx) [114.37.1.31] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-07 02:04:18 H=114-37-1-31.dynamic.hinet.net (xxx.xxx.xxx.xxx) [114.37.1.31] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-07 13:43:38 H=114-37-1-31.dynamic.hinet.net (xxx.xxx.xxx.xxx) [114.37.1.31] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-07 13:43:40 H=114-37-1-31.dynamic.hinet.net (xyx.xyx.xyx.xyx) [114.37.1.31] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 04:54:18 H=114-37-1-31.dynamic.hinet.net (xxx.xxx.xxx.xxx) [114.37.1.31] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 04:54:20 H=114-37-1-31.dynamic.hinet.net (xyx.xyx.xyx.xyx) [114.37.1.31] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 14:40:15 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=1-164-100-86.dynamic.hinet.net [1.164.100.86] input="GET http://www.scanproxy.com:80/p-25.html HTTP/1.0\r\nContent-Type: text/html\r\nProxy-Connection: keep-alive\r\nHost: www.scanproxy.com\r\nAccept: image/gif,"
2014-05-08 14:40:15 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=1-164-100-86.dynamic.hinet.net [1.164.100.86] input="GET http://www.scanproxy.com:80/p-25.html HTTP/1.0\r\nContent-Type: text/html\r\nProxy-Connection: keep-alive\r\nHost: www.scanproxy.com\r\nAccept: image/gif,"
2014-05-08 14:40:15 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=1-164-100-86.dynamic.hinet.net [1.164.100.86] input="\004\001"
2014-05-08 14:40:16 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=1-164-100-86.dynamic.hinet.net [1.164.100.86] input="\004\001"
2014-05-08 14:40:16 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=1-164-100-86.dynamic.hinet.net [1.164.100.86] input="\005\001"
2014-05-08 14:40:16 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=1-164-100-86.dynamic.hinet.net [1.164.100.86] input="\005\001"
2014-05-08 15:10:54 H=1-164-178-236.dynamic.hinet.net (xxx.xxx.xxx.xxx) [1.164.178.236] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 15:10:54 H=1-164-178-236.dynamic.hinet.net (xyx.xyx.xyx.xyx) [1.164.178.236] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 16:56:22 H=1-164-178-236.dynamic.hinet.net (xxx.xxx.xxx.xxx) [1.164.178.236] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 16:56:22 H=1-164-178-236.dynamic.hinet.net (xyx.xyx.xyx.xyx) [1.164.178.236] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 18:34:26 H=1-164-178-236.dynamic.hinet.net (xxx.xxx.xxx.xxx) [1.164.178.236] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 18:34:26 H=1-164-178-236.dynamic.hinet.net (xyx.xyx.xyx.xyx) [1.164.178.236] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 20:09:37 H=1-164-178-236.dynamic.hinet.net (xxx.xxx.xxx.xxx) [1.164.178.236] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-05-08 20:09:38 H=1-164-178-236.dynamic.hinet.net (xyx.xyx.xyx.xyx) [1.164.178.236] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
[/PLAIN]

 

[zEitEr]

I enabled RBL in DA a week ago or so. Is there particular log file which allows observation of RBL checking? ..or in msg headers?

With a default exim.conf of 2nd version you should see in log /var/log/exim/mainlog lines with the following words:

"to unblock see http://www.example.com/"

If so, then RBL is working fine for you.

 

[nobaloney]

Of course that means you've not set up your own webpage to send people to when they get blocked so you'll never get unblock requests. While this may be what you want, your clients may not appreciate not being able to get whitelised.

Note Alex the above reply is for completeness and for the record; not specifically for you.

If user is using my file and not the default which comes installed in DirectAdmin then the installation instructions must be followed; see here (nobaloney.net).

Jeff

 

[zEitEr]

webpage to send people to when they get blocked so you'll never get unblock requests

We have a custom page specified in a such a message. Since 2005 nobody has contacted us with a request to remove their IP from ban. Why should anybody worry about it? Legal users usually use function to remove their IP from black list on a site of RBL holder.

 

[nobaloney]

We also use our own page, and we allow DirectAdmin users to copy it (but we cannot give you permission to copy the images, because they're not ours; please use your own).

http://www.spamblocked.net/blocked.html

Please however, do NOT point people to our page. If you do, and they notify us, they simply get a form email saying we don't host the recipient so we can't unblock them.

We get a few (under ten) unblock requests monthly, and we're happy to investigate and unblock them so our users can be assured any legitimate contact can reach them.

We recommend blocking and whitelisting by email servers if you're sure it's a server you're willing to accept email, but using sender level blocking or whitelisting, for example, google, hotmail, etc., addresses.

Jeff

 

[Spook]

I actually did cover the unblocking url and made a blurb about unblocking on a special html page.

I think however that I'm also supposed to uncomment some of the exim.conf to actually get the RBLs doing anything?

I had literally and only turned on RBLs in DA and then added my own URL in place of example.com in the exim and waited for some sort of indication of it doing something. ;-)

In hindsight I am thinking that the additional lines in the exim.conf must also need attention, which I read but left alone -- never found instructions in the forum that indicated I needed to do anything other than toggle the DA RBL option.

I know it may seem obvious to a majority on the forum (if further edits are required to exim as I suspect now) but given the complexity of the whole server, and the exim.conf all by itself I'm reluctant to just 'try' too much.

 

[nobaloney]

I can't help you much with the default exim.conf file supplied by Directadmin except to point out that CustomBuild settings should enable you to set up everything.

If you're using my file then you need to (as root):

cd /etc/virtual
rm use_rbl_domains
ln -s domains use_rbl_domains

and of course add and edit the necessary files under /etc/virtual; be sure to see my ReadMe file.

And then of course restart exim.

Jeff