Spent whole week but can not find spammer, please advise?

[ozgurerdogan]

My ip is getting blacklisted. But I just can not find a clue it exim logs. Nothing weird, no exim limit usage warning. I am really going crayz and there must be a way to monitor the spammer.

My exim log selector is:

log_selector = \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  +arguments \
  +connection_reject \
  +address_rewrite \
  +all_parents \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery

I have also exim.easy_spam_fighter and exim.blockcracking installed.

Sometimes I recieve s spam complain form http://m.usgoabuse.net/ as follows:

Received: from [my.ip.ad.hr] by usgo.net
          (USGO MTA v5/:PGxldml0cmEub3JkZXJAbzIuY29tPjxwZWFudXRnaEB1c2ZhbWlseS5uZXQ_)
          with SMTP id <20150827015904102749800012> for <[email protected]>;
          Thu, 27 Aug 2015 01:59:04 -0500 (CDT)
          (envelope-from [email protected])
Date: Thu, 27 Aug 2015 06:58:35 +0000
To: [email protected]
From: "Levitra Order" <[email protected]>
Subject: Notification, Discount 85% OFF, polish marriage
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

But only info about me is ip address. So maybe I can block whole usfamily.net domain? But that is a temp. solution. So I am totattly stuck and just sitting and looking at logs.
I read lots of article about spam issue but I find nothing in logs. I changed all directadmin user password. Cron a daily clam scan. etc.etc. bu still no lock.

So is not there a software that can track and show me spammer instead of looking logs line by line.

 

[Richard G]

You have to determine where the spam is coming from.

Use this log_selector:

log_selector = \
  +address_rewrite \
  +all_parents \
  +connection_reject \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery \
  +arguments

Also there is a big chance spam is bounced back to your server, check those, and if possible spam not send out yet, via your Mail Queue administration. Check if you can find any -auth_id name in there.
That will be the account which is hacked, if the spam is made via authentication.

Another possibility is that a script got hacked and they are sending out spam via php mail.

You might want to consider installing CSF/LFD but also a maliicious file checker like Maldetect (look it up on this forum).
Also check this:
http://help.directadmin.com/item.php?id=455

 

[ozgurerdogan]

Thank you Richard. I updated log selector. Problem is that, mail queue has never high number or unidentified sender. I scanned whole server and it is all clean with clamav. I changed all DA passwords.. And this is not a php script issue. I already have csf installed. But is there some some setting I should take care in csf?

I will look at maldetect. In face I am looking for a perm. and easy solution like monitorin smtp traffic on server with a traffic sniffer and see the clue there. Do you reccomment a monitor tool for that? Because everytime, I have to look for something in somewhere in server which take lots of times with no guaranteed success. Also is it %1000 sure that, how ever spammer sends out spam, exim will definitly log it or there are someway that it might not be logged.?

 

[DirectAdmin Support]

Hello,

In your first post, the headers of the email (that's the spam?) makes no mention of Exim.. so exim likely didn't send it.
This means the spammer is likely just feeling sending email via port 25 from your server.

Ensure outbound port 25 is blocked to everyone except "mail" and "root".
Exim sends as mail, and I like to keep root open for when I'm debugging connection issues for people.

We've implemented this in our block_ips/iptables script a while back:
http://www.directadmin.com/features.php?id=1427

I'm not sure if CSF does it, but I would encourage them to match the same settings.

John

 

[Richard G]

If Exim is configured correctly, it should not be possible anyway to abuse it as a mailrelay.
However CSF does take care of that firewall for port 25 too with this setting:

SMTP_ALLOWGROUP = "mail,mailman"

so you don't have to worry about that.

Normally Exim should log if traffic is passing through Exim. Exim won't log if mail is send another way, for example of your system is used as mailrelay (which should not be possible if you did not change wrong settings and are using CSF), your server is hacked or a script is doing it or it's done via webmail. Check your webmail logs to see if there is anything to be found there.

The best way is to detect what is going on is to have CSF block all non authenticated traffic, you can also do this temporarily.
In csf.conf change:

SMTPAUTH_RESTRICT = "0"

to

SMTPAUTH_RESTRICT = "1"

And restart CSF.

With a bit of luck you should get error notices now about mail, which can point you to the origin of the mail.
Especially keep an eye on your mailqueue, /var/log/maillog and /var/log/exim/mainlog and also /var/log/exim/rejectlog for things which should not occur.
I this case I presume you are using Centos or Fedora, other distro's might have the logs in another place.

 

[ozgurerdogan]

First of thank you for your time and share. I did not know, spammer can use some otherway that exim would not log. So if exim does not log, there is no way other than make guesses how spammer can user server as mail relay? Or I can check some other log files?

I installed maldetect and it found some file which clamav did not. I thought clamav was good enough to find malwares. I was a bit suprised.

Also in csf tcp_out section I removed port 25. I was guessing php files are using port 25 by default? But does not matter, they can set to use port 587 if 25 is a issue with spammers.

And in csf, I set:

SMTP_BLOCK = 1
SMTP_ALLOWLOCAL = 0
SMTP_PORTS = 25
SMTP_ALLOWGROUP = mail,mailman
SMTPAUTH_RESTRICT = 0

As I am using csf, I do not need to implement block_ips/iptables from DA right? That might cause a conflict? Or can I?

Last thing, if outgoing port 25 is closed and mail, mailman are in allowed group. Spammer can only use exim and that will cause logs right? Can you please confirm my above settings?

Also here is my exim.conf settings, in case you want to check:

# SpamBlockerTechnology* powered exim.conf, Version 4.3.4
# beta-1
# September 9, 2014 03:03 (-0700)
# Exim configuration file for DirectAdmin
# Requires exim.pl as distributed by DirectAdmin here:
# http://files.directadmin.com/services/exim.pl version 19 or higher
# New version 4.2.1 removes obsolete dnsbl.njabl.org blocklist
# and two ahbl blocklists; see: # http://forum.directadmin.com/showthread.php?t=48774
# Edit#42 : entire section now commented out as there is no other
# name-base;d blocklist in use
# Includes SpamBlockerTechnology blocklists and optimizations:
# http://www.nobaloney.net/downloads/spamblocker/
# ClamAV optional
# SpamAssassin optional
# Dovecot/IMAP Mandatory
# *SpamBlockerTechnology is a Trademark of NoBaloney Internet Services:
# http://www.nobaloney.net
# 
# WARNING! Do NOT use this exim.conf Exim configuration file unless you
# make the required modifications to your Exim configuration
# following the instructions in the README file included in this
# distribution:
# README-SpamBlockerVersion4exim.conf.txt
# 
# The original exim.conf file distributed with Exim 4, includes the
# following copyright notice:
# 
# Copyright (C) 2002 University of Cambridge, Cambridge, UK
# 
# Portions of the file are taken from the exim.conf file as
# distributed with DirectAdmin (http://www.directadmin.com/)
# 
# Copyright (C) 2003-2011 JBMC Software, St Albert, AB, Canada
# 
# Portions of this file are written by NoBaloney Internet Services
# and are copyright as follows:
# 
# Copyright (C) 2004-2011 NoBaloney Internet Services, Riverside, Calif., USA
# 
# The entire Exim 4 distribution, including the exim.conf file, is
# distributed under the GNU GENERAL PUBLIC LICENSE, Version 2,
# June 1991. If you do not have a copy of the GNU GENERAL PUBLIC LICENSE
# you may download it, in it's entirety, from the website at:
# 
# http://www.nobaloney.net/exim/gnu-gpl-v2.txt
# 
# Thanks to all the members of the DirectAdmin community and of the exim
# community who have given their # much needed and appreciated help.
# 
# The most recent version of this file may always downloaded from the website
# at: http://www.nobaloney.net/downloads/spamblocker
# 
# MODIFICATION INSTRUCTIONS
# 
# YOU MUST MAKE THE CHANGES TO THIS
# SpamBlockerTechnology* powered exim.conf, Version 4.0
# file as documented in the README file.
# 
# The README file for this version is named:
# README-SpamBlockerVersion4exim.conf.txt

# CONFIGURATION STARTS HERE

#EDIT#1:
# primary_hostname =
smtp_active_hostname = ${if exists{/etc/virtual/helo_data}{${lookup{$interface_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}}{$primary_hostname}}

#EDIT#2-CLAMAV:
# av_scanner = clamd:/var/run/clamav/clamd
.include_if_exists /etc/exim.clamav.load.conf

#Block Cracking variables
.include_if_exists /etc/exim.blockcracking/variables.conf

#Easy Spam Figher variables
.include_if_exists /etc/exim.easy_spam_fighter/variables.conf

#EDIT#3:
# qualify_domain =

#EDIT#4:
perl_startup = do '/etc/exim.pl'

#EDIT#5:
system_filter = /etc/system_filter.exim

#EDIT#6:
untrusted_set_sender = *

#EDIT#7:
#daemon_smtp_ports = 25 : 587 : 465
tls_on_connect_ports = 465

#EDIT#8:
local_from_check = false

RBL_DNS_LIST=\
       cbl.abuseat.org : \
       bl.spamcop.net : \
       combined.rbl.msrbl.net : \
       b.barracudacentral.org : \
       zen.spamhaus.org : \
       hostkarma.junkemailfilter.com=127.0.0.2

.include /etc/exim.variables.conf
.include /etc/exim.strings.conf
.include_if_exists /etc/exim.strings.conf.custom

#EDIT#10:
helo_allow_chars = _

#EDIT#11:
log_selector = \
  +address_rewrite \
  +all_parents \
  +connection_reject \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery \
  +arguments

#EDIT#12:
syslog_duplication = false

#EDIT#13:
acl_not_smtp = acl_script
acl_smtp_auth = acl_check_auth
acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_mail = ${if ={$interface_port}{587} {accept}{acl_check_mail}}
acl_smtp_rcpt = acl_check_recipient
acl_smtp_dkim = ${if ={$interface_port}{587} {accept}{acl_check_dkim}}
acl_smtp_data = acl_check_message

#EDIT#14:
addresslist whitelist_senders = nwildlsearch;/etc/virtual/whitelist_senders
addresslist blacklist_senders = nwildlsearch;/etc/virtual/blacklist_senders
domainlist blacklist_domains = nwildlsearch;/etc/virtual/blacklist_domains
domainlist whitelist_domains = nwildlsearch;/etc/virtual/whitelist_domains
domainlist local_domains = lsearch;/etc/virtual/domains
domainlist relay_domains = lsearch;/etc/virtual/domains
domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains
domainlist skip_rbl_domains = nwildlsearch;/etc/virtual/skip_rbl_domains
hostlist skip_rbl_hosts = ${if exists{/etc/virtual/skip_rbl_hosts}{wildlsearch;/etc/virtual/skip_rbl_hosts}}
hostlist skip_rbl_hosts_ip = ${if exists{/etc/virtual/skip_rbl_hosts_ip}{/etc/virtual/skip_rbl_hosts_ip}}
hostlist auth_relay_hosts = *
hostlist bad_sender_hosts = nwildlsearch;/etc/virtual/bad_sender_hosts
hostlist bad_sender_hosts_ip = /etc/virtual/bad_sender_hosts_ip
hostlist whitelist_hosts = nwildlsearch;/etc/virtual/whitelist_hosts
hostlist whitelist_hosts_ip = /etc/virtual/whitelist_hosts_ip
BLACKLIST_USERNAMES = /etc/virtual/blacklist_usernames

#EDIT#15:
#domainlist skip_av_domains = nwildlsearch;/etc/virtual/skip_av_domains

#EDIT#16:
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts

#EDIT#17:
never_users = root

#EDIT#18:
host_lookup = *

#EDIT#19:
rfc1413_hosts = *
rfc1413_query_timeout = 0s

#EDIT#20:
#exim.variables.conf

#EDIT#21:
#exim.variables.conf

#EDIT#22:
#exim.variables.conf

#EDIT#23:
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
openssl_options = +no_sslv2 +no_sslv3
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
tls_advertise_hosts = *
#auth_over_tls_hosts = *


##################################################################################
# Access Control Lists
##################################################################################
begin acl


######################################
# ACL CONNECT
######################################
#EDIT#24:
acl_connect:
  warn set acl_m_spam_assassin_has_run = 0
  warn set acl_m_is_whitelisted = 0
  .include_if_exists /etc/exim.easy_spam_fighter/connect.conf
  accept hosts = *


######################################
# ACL CHECK MAIL
######################################
acl_check_mail:
  accept  condition = ${if eq{$acl_m_is_whitelisted}{1}{1}{0}}

#EDIT#31:
  accept  sender_domains = +whitelist_domains
          logwrite = $sender_host_address whitelisted in local domains whitelist
          set acl_m_is_whitelisted = 1
  accept  hosts = +whitelist_hosts
          logwrite = $sender_host_address whitelisted in local hosts whitelist
          set acl_m_is_whitelisted = 1
  accept  hosts = +whitelist_hosts_ip
          logwrite = $sender_host_address whitelisted in local hosts IP whitelist
          set acl_m_is_whitelisted = 1
  # accept if envelope sender is in whitelist
  accept  senders = +whitelist_senders
          logwrite = $sender_host_address whitelisted in local sender whitelist
          set acl_m_is_whitelisted = 1

  .include_if_exists /etc/exim.easy_spam_fighter/check_mail.conf
  accept


######################################
# ACL CHECK AUTH
######################################
#EDIT#24.5#
acl_check_auth:
  drop  set acl_m_authcount = ${eval10:0$acl_m_authcount+1}
        condition = ${if >{$acl_m_authcount}{2}}
        delay = 10s
        message = ONLY_ONE_AUTH_PER_CONN

  accept


######################################
# ACL CHECK HELO
######################################
#EDIT#25:
acl_check_helo:
  # accept mail originating on this server unconditionally
  accept  hosts = @[] : @
  # deny if the HELO pretends to be this host
    deny message = HELO_HOST_IMPERSANATION
      condition = ${if or { \
                            {eq{$sender_helo_name}{$smtp_active_hostname}} \
                            {eq{$sender_helo_name}{[$interface_address]}} \
                          } {true}{false} }
  # deny if the HELO is an IP address
    deny message = HELO_IS_IP
         condition   = ${if eq{$interface_port}{25}}
         condition   = ${if isip{$sender_helo_name}}
  # deny if hostname if ylmf-pc, which accounts for a HUGE percentage of BF attacks
    deny message = HELO_BLOCKED_FOR_ABUSE
         condition   = ${if eq{$sender_helo_name}{ylmf-pc}}
  # deny if the HELO pretends to be one of the domains hosted on the server
    deny message = HELO_IS_LOCAL_DOMAIN
        condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
        hosts = ! +relay_hosts
  accept


######################################
# ACL SCRIPT
######################################
acl_script:
  discard set acl_m_uid = ${perl{find_uid}}
          set acl_m_username = ${perl{get_username}{$acl_m_uid}}
          condition = ${if !eq {$acl_m_uid}{-1}{yes}{no}}
          condition = ${if >{${perl{hit_limit_user}{$acl_m_username}}}{1}}
          message = USER_TOO_MANY

  discard condition = ${if !eq{$originator_uid}{$exim_uid}}
          condition = ${if exists{BLACKLIST_USERNAMES}}
          condition = ${lookup{$acl_m_username}lsearch{BLACKLIST_USERNAMES}{1}{0}}
          message = USER_ON_BLACKLIST_SCRIPT

  .include_if_exists /etc/exim.blockcracking/script.conf

  accept

  .include_if_exists /etc/exim.blockcracking/script.recipients.conf


######################################
# ACL CHECK RECIPIENT
######################################
#EDIT#26:
acl_check_recipient:
  # block certain well-known exploits, Deny for local domains if
  # local parts begin with a dot or contain @ % ! / |
  deny  domains       = +local_domains
        local_parts   = ^[.] : ^.*[@%!/|]

  # If you've hit the limit, you can't send anymore. Requires exim.pl 17+
  drop  message = AUTH_TOO_MANY
        condition = ${perl{auth_hit_limit_acl}}
        authenticated = *

  drop  message = MULTIPLE_BOUNCE_RECIPIENTS
        senders = : postmaster@*
        condition = ${if >{$recipients_count}{0}{true}{false}}

  drop  message = TOO_MANY_FAILED_RECIPIENTS
        log_message = REJECTED - Too many failed recipients - count = $rcpt_fail_count
        condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
        !verify = recipient/callout=2m,defer_ok,use_sender

  drop  message = DOMAIN_SUSPENDED
        domains = +local_domains
        condition = ${if exists{/etc/virtual/${domain}_off}{yes}{no}}

  drop  authenticated = *
        condition = ${if exists{BLACKLIST_USERNAMES}}
        set acl_m_uid = ${perl{find_uid_auth_id}{$authenticated_id}}
        set acl_m_username = ${perl{get_username}{$acl_m_uid}}
        condition = ${if !eq {$acl_m_uid}{-1}{yes}{no}}
        condition = ${lookup{$acl_m_username}lsearch{BLACKLIST_USERNAMES}{1}{0}}
        message = USER_ON_BLACKLIST_SMTP
        logwrite = User account $acl_m_username is blocked via BLACKLIST_USERNAMES

  accept  condition = ${if eq{$acl_m_is_whitelisted}{1}{1}{0}}

  #Block Cracking - https://github.com/Exim/exim/wiki/BlockCracking
  .include_if_exists /etc/exim.blockcracking/auth.conf

  # restrict port 587 to authenticated users only
  # see also daemon_smtp_ports above
  accept  hosts = +auth_relay_hosts
	  condition = ${if eq {$interface_port}{587} {yes}{no}}
	  endpass
	  message = RELAY_NOT_PERMITTED_AUTH
	  authenticated = *
  # Deny all Mailer-Daemon messages not for us:
  deny message = We didn't send the message
       senders = :
       domains = !+relay_domains

  # Deny if the recipient doesn't exist:
    deny message = NO_SUCH_RECIPIENT
         domains = +local_domains
	 !verify = recipient
  # Remaining Mailer-Daemon messages must be for us
    accept senders = :
	   domains = +relay_domains

#EDIT#27:
  # 1st deny checks if it's a hostname or IPV4 address with dots or IPV6 address
    deny message = R1: HELO_SHOULD_BE_FQDN
         !authenticated = *
         condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
         condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
  ## 2nd deny makes sure the hostname doesn't end with a dot (invalid)
  #  deny message = R2: HELO_SHOULD_BE_FQDN
  #       !authenticated = *
  #       condition   = ${if match{$sender_helo_name}{\N\.$\N}}
  # 3rd deny makes sure the hostname has no double-dots (invalid)
    deny message = R3: HELO_SHOULD_BE_FQDN
         !authenticated = *
         condition   = ${if match{$sender_helo_name}{\N\.\.\N}}
  ## 4th deny make sure the hostname doesn't end in .home (invalid domain)
  #  deny message = R4: HELO_SHOULD_BE_FQDN
  #       !authenticated = *
  #       condition  = ${if match{$sender_helo_name}{\N\.home$\N}}

#EDIT#28:
  # warn domains = +skip_av_domains
  # set acl_m0 = $tod_epoch

#EDIT#29:
  deny  domains       = !+local_domains
        local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

#EDIT#30:
  accept  hosts = :
          logwrite = Whitelisted as having local origination

#EDIT#32:
    deny message = 554 denied. 5.7.1 BLOCKED_DUE_TO_SPAM_SENDER
    domains = +use_rbl_domains
    domains = !+skip_rbl_domains
    hosts = !+skip_rbl_hosts : !+skip_rbl_hosts_ip
    senders = +blacklist_senders

#EDIT#33:
    deny message = 554 denied. 5.7.1 BLOCKED_DUE_TO_SPAM_HOST
       # only for domains that do want to be tested against RBLs
       domains = +use_rbl_domains
       domains = !+skip_rbl_domains
       hosts = !+skip_rbl_hosts : !+skip_rbl_hosts_ip
       hosts = +bad_sender_hosts

#EDIT#34:
    deny message = 554 denied. 5.7.1 BLOCKED_DUE_TO_SPAM_IP
       hosts = +bad_sender_hosts_ip

#EDIT#35:
  accept domains = +local_domains
         sender_domains = !+blacklist_domains
         hosts = !+bad_sender_hosts
         hosts = !+bad_sender_hosts_ip
         dnslists = list.dnswl.org
         logwrite = $sender_host_address whitelisted in list.dnswl.org

#EDIT#36:
  # accept domains = +local_domains
  #        dnslists = hostkarma.junkemailfilter.com=127.0.0.1
  #        logwrite = $sender_host_address whitelisted in hostkarma.junkemailfilter.com

#EDIT#37:
  # accept  local_parts = whitelist
  #         domains     = example.com

#EDIT#38:
  require verify = sender

#EDIT#39:
    deny message = 554 denied. 5.7.1 BLOCKED_DUE_TO_SPAM_DOMAIN
       domains = +use_rbl_domains
       domains = !+skip_rbl_domains
       hosts = !+skip_rbl_hosts : !+skip_rbl_hosts_ip
       sender_domains = +blacklist_domains

#EDIT#40:
#    deny message = 554 denied. 5.7.1 Forged Paypal Mail, not sent from PayPal.
#         senders = *@paypal.com
#         condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}

#EDIT#41:
  warn hosts = +skip_rbl_hosts
       logwrite = $sender_host_address RBL whitelisted in skip_rbl_hosts
  warn hosts = +skip_rbl_hosts_ip
       logwrite = $sender_host_address RBL whitelisted in skip_rbl_hosts_ip
  warn domains = +skip_rbl_domains
       logwrite = $sender_host_address RBL whitelisted $domain in skip_rbl_domains
  
  deny message = RBL_BLOCKED_BY_LIST
       hosts    = !+relay_hosts
       domains = +use_rbl_domains
       domains = !+skip_rbl_domains
       hosts = !+skip_rbl_hosts : !+skip_rbl_hosts_ip
       !authenticated = *
       dnslists = RBL_DNS_LIST

  .include_if_exists /etc/exim.easy_spam_fighter/check_rcpt.conf

#COMMENT#43:
# ACCEPT EMAIL BEGINNING HERE
  # accept if address is in a local domain as long as recipient can be verified
  accept  domains = +local_domains
          endpass
	  message = UNKNOWN_USER
          verify = recipient
#COMMENT#44
  # accept if address is in a domain for which we relay as long as recipient
  # can be verified
  accept  domains = +relay_domains
          endpass
          verify = recipient
#EDIT#45:
  accept  hosts = +relay_hosts
          add_header = X-Relay-Host: $sender_host_address

  accept  hosts = +auth_relay_hosts
          endpass
          message = AUTH_REQUIRED
          authenticated = *

# FINAL DENY EMAIL BEFORE DATA BEGINS HERE
  # default at end of acl causes a "deny", but line below will give
  # an explicit error message:
  deny    message = RELAY_NOT_PERMITTED


######################################
# ACL CHECK DKIM
######################################
acl_check_dkim:
  accept  condition = ${if eq{$acl_m_is_whitelisted}{1}{1}{0}}
          
  .include_if_exists /etc/exim.easy_spam_fighter/check_dkim.conf
  accept


######################################
# ACL CHECK MESSAGE
######################################
# ACL that is used after the DATA command (ClamAV)
acl_check_message:
  accept  condition = ${if eq{$acl_m_is_whitelisted}{1}{1}{0}}

  .include_if_exists /etc/exim.easy_spam_fighter/check_message.conf

#EDIT#46:
.include_if_exists /etc/exim.clamav.conf

  ## accept without checking if in skip_av_domains
  # accept condition =${if and {{def:acl_m0}{def:acl_m0}} {true}{false}}

  ## deny if email contains malformed MIME header
  # deny message = CLAM_MALFORMED_MIME
  # demime = *
  # condition = ${if >{$demime_errorlevel}{2}{1}{0}}

  ## deny if email containing virus or other harmful content
  # deny message = CLAM_HAS_VIRUS
  # demime = *
  # malware = *
 
  ## deny  if email contains an attachment of type we don't accept.
  # deny message = CLAM_BAD_ATTACHMENT
  # demime = bat:com:pif:prf:scr:vbs:html
 
  ## Accept but put warning into headers if message over 1000k
  # warn message = CLAM_SKIPPED
  # condition = ${if >={$message_size}{1000k} {1}{0}}
 
  # warn message = CLAM_CLEAN

  ## The end of the acl_check_message acl (ClamAV)
  ## Do NOT comment out the line below or all messages will be denied.
  accept


##################################################################################
# AUTHENTICATION CONFIGURATION
##################################################################################
begin authenticators

plain:
    driver = plaintext
    public_name = PLAIN
    server_prompts = :
    server_condition = "${perl{smtpauth}{0}}"
    server_set_id = $2

login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = "Username:: : Password::"
    server_condition = "${perl{smtpauth}{0}}"
    server_set_id = $1

#EDIT#47:
# REWRITE CONFIGURATION
# There is no rewriting specification in this exim.conf file. If your
# configuration requires one, it would go here



##################################################################################
# ROUTERS CONFIGURATION
##################################################################################
begin routers
#EDIT#48:

lookuphost:
  driver = dnslookup
  domains = ! +local_domains
  ignore_target_hosts = 127.0.0.0/8
  condition = "${perl{check_limits}}"
  transport = remote_smtp
  no_more

# RELATED: http://help.directadmin.com/item.php?id=153
# smart_route:
#   driver = manualroute
#   domains = ! +local_domains
#   ignore_target_hosts = 127.0.0.0/8
#   condition = "${perl{check_limits}}"
#   route_list = !+local_domains HOSTNAME-or-IP#
#   transport = remote_smtp

#COMMENT#49:
#DIRECTORS CONFIGURATION

.include_if_exists /etc/exim.spamassassin.conf

#EDIT#50:
# Spam Assassin
#spamcheck_director removed. Use the exim.spamassassin.conf

majordomo_aliases:
  driver = redirect
  allow_defer
  allow_fail
  data = ${if exists{/etc/virtual/${domain}/majordomo/list.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/list.aliases}}}}
  domains = lsearch;/etc/virtual/domainowners
  file_transport = address_file
  group = daemon
  pipe_transport = majordomo_pipe
  retry_use_local_part
  no_rewrite
  user = majordomo

majordomo_private:
  driver = redirect
  allow_defer
  allow_fail
  #condition = "${if eq {$received_protocol} {local} {true} {false} }"
  condition = "${if or { {eq {$received_protocol} {local}} \
                         {eq {$received_protocol} {spam-scanned}} } {true} {false} }"
  data = ${if exists{/etc/virtual/${domain}/majordomo/private.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/private.aliases}}}}
  domains = lsearch;/etc/virtual/domainowners
  file_transport = address_file
  group = daemon
  pipe_transport = majordomo_pipe
  retry_use_local_part
  user = majordomo

domain_filter:
  driver = redirect
  allow_filter
  no_check_local_user
  condition = "${if exists{/etc/virtual/${domain}/filter}{yes}{no}}"
  user = "${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}"
  group = "mail"
  file = /etc/virtual/${domain}/filter
  directory_transport = address_file
  pipe_transport = virtual_address_pipe
  retry_use_local_part
  no_verify

uservacation:
  # uservacation reply to all except errors, bounces, lists
  driver = accept
  condition = ${lookup{$local_part} lsearch {/etc/virtual/${domain}/vacation.conf}{yes}{no}}
  condition = ${if match{$h_X-Spam-Status:}{\N^Yes\N}{no}{yes}}
  require_files = /etc/virtual/${domain}/reply/${local_part}.msg
  # do not reply to errors and bounces or lists
  senders = " ! ^.*-request@.*:\
              ! ^owner-.*@.*:\
              ! ^postmaster@.*:\
              ! ^listmaster@.*:\
              ! ^mailer-daemon@.*\
              ! ^root@.*"
  transport = uservacation
  unseen

userautoreply:
  driver = accept
  condition = ${lookup{$local_part} lsearch {/etc/virtual/${domain}/autoresponder.conf}{yes}{no}}
  condition = ${if match{$h_X-Spam-Status:}{\N^Yes\N}{no}{yes}}
  require_files = /etc/virtual/${domain}/reply/${local_part}.msg
  # do not reply to errors and bounces or lists
  senders = " ! ^.*-request@.*:\
              ! ^owner-.*@.*:\
              ! ^postmaster@.*:\
              ! ^listmaster@.*:\
              ! ^mailer-daemon@.*\
              ! ^root@.*"
  transport = userautoreply
  unseen

virtual_aliases_nostar:
  driver = redirect
  allow_defer
  allow_fail
  data = ${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}
  file_transport = address_file
  group = mail
  pipe_transport = virtual_address_pipe
  retry_use_local_part
  unseen
  #include_domain = true

virtual_user:
  driver = accept
  condition = ${perl{save_virtual_user}}
  domains = lsearch;/etc/virtual/domainowners
  group = mail
  retry_use_local_part
  transport = dovecot_lmtp_udp

# accept only if local_part is not in the aliases file
# (this implements catch-all)
virtual_aliases:
  driver = redirect
  allow_defer
  allow_fail
  condition = ${if eq {}{${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}}{yes}{no}}
  data = ${if exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch*{/etc/virtual/$domain/aliases}}}}
  file_transport = address_file
  group = mail
  pipe_transport = virtual_address_pipe
  retry_use_local_part
  #include_domain = true

#COMMENT#51:
drop_solo_alias:
  driver = redirect
  allow_defer
  allow_fail
  data = ${if exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch{/etc/virtual/$domain/aliases}}}}
  file_transport = devnull
  group = mail
  pipe_transport = devnull
  retry_use_local_part
  #include_domain = true

#COMMENT#52:
userforward:
  driver = redirect
  allow_filter
  check_ancestor
  check_local_user
  no_expn
  file = $home/.forward
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
  no_verify

system_aliases:
  driver = redirect
  allow_defer
  allow_fail
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  file_transport = address_file
  pipe_transport = address_pipe
  retry_use_local_part
  # user = exim

localuser:
  driver = accept
  check_local_user
  condition = "${if eq {$domain} {$primary_hostname} {yes} {no}}"
  transport = local_delivery

#COMMENT#53:
# TRANSPORTS CONFIGURATION
begin transports

#COMMENT#54:
spamcheck:
  driver = pipe
  batch_max = 100
  command = /usr/sbin/exim -oMr spam-scanned -bS
  current_directory = "/tmp"
  group = mail
  home_directory = "/tmp"
  log_output
  message_prefix = 
  message_suffix = 
  return_fail_output
  no_return_path_add
  transport_filter = /usr/bin/spamc -u ${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}
  use_bsmtp
  user = mail

#COMMENT#55:
majordomo_pipe:
  driver = pipe
  group = daemon
  return_fail_output
  user = majordomo

#COMMENT#56:
local_delivery:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  directory = /home/$local_part/Maildir/
  directory_mode = 770
  create_directory = true
  maildir_format
  group = mail
  mode = 0660
  return_path_add
  user = ${local_part}

#COMMENT#57:
virtual_localdelivery:
  driver = appendfile
  create_directory
  delivery_date_add
  directory_mode = 770
  envelope_to_add
  directory = /home/${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}/imap/${domain}/${local_part}/Maildir
  maildir_format
  group = mail
  mode = 660
  return_path_add
  user = "${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}"
  quota = ${if exists{/etc/virtual/${domain}/quota}{${lookup{$local_part}lsearch*{/etc/virtual/${domain}/quota}{$value}{0}}}{0}}

#EDIT#58:
uservacation:
  driver = autoreply
  file = /etc/virtual/${domain}/reply/${local_part}.msg
  from = "${local_part}@${domain}"
  log = /etc/virtual/${domain}/reply/${local_part}.log
  no_return_message
  subject = "${if def:h_Subject: {Autoreply: ${quote:${escape:$h_Subject:}}} {I am on vacation}}"
  text = "\
	------                                                           ------\n\n\
	This message was automatically generated by email software\n\
	The delivery of your message has not been affected.\n\n\
	------                                                           ------\n\n"
  to = "${sender_address}"
  user = mail
  once = /etc/virtual/${domain}/reply/${local_part}.once
  once_file_size = 100K
  once_repeat = 2d

#COMMENT#59:
userautoreply:
  driver = autoreply
  bcc = ${lookup{${local_part}} lsearch {/etc/virtual/${domain}/autoresponder.conf}{$value}}
  file = /etc/virtual/${domain}/reply/${local_part}.msg
  from = "${local_part}@${domain}"
  log = /etc/virtual/${domain}/reply/${local_part}.log
  no_return_message
  subject = "${if def:h_Subject: {Autoreply: ${quote:${escape:$h_Subject:}}} {Autoreply Message}}"
  to = "${sender_address}"
  user = mail
  once = /etc/virtual/${domain}/reply/${local_part}.once
  once_file_size = 100K
  once_repeat = 2d

#COMMENT#60:
devnull:
  driver = appendfile
  file = /dev/null

#COMMENT#61:
remote_smtp:
  driver = smtp
  headers_add = "${if def:authenticated_id{X-Authenticated-Id: ${authenticated_id}}}"
  interface = <; ${if exists{/etc/virtual/domainips}{${lookup{$sender_address_domain}lsearch{/etc/virtual/domainips}}}}
  helo_data = ${if exists{/etc/virtual/helo_data}{${lookup{$sending_ip_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}}{$primary_hostname}}
.include_if_exists /etc/exim.dkim.conf

#EDIT#62:
address_pipe:
  driver = pipe
  return_output

virtual_address_pipe:
  driver = pipe
  group = nobody
  return_output
  user = "${lookup{$domain}lsearch* {/etc/virtual/domainowners}{$value}}"
.include_if_exists /etc/exim.cagefs.pipe.conf

#COMMENT#63:
address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

#COMMENT#64:
address_reply:
  driver = autoreply

dovecot_lmtp_udp:
  driver = lmtp
  socket = /var/run/dovecot/lmtp
  #maximum number of deliveries per batch, default 1
  batch_max = 200
  return_path_add

##################################################################################
# RETRY CONFIGURATION
##################################################################################
#EDIT#65:
# Domain               Error       Retries
# ------               -----       -------
begin retry
*                      quota
*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,8h
# End of Exim 4 configuration

 

[Richard G]

For my time, you're welcome.
About port 25, I did not remove that from CSF, because the port has to be opened for outgoing mail to work. CSF makes his own rules to limit this tcp_out for mail and mailman.
With the SMTP_ALLOW_LOCAL=0 you also prevent local mail to be send out (like mail from scripts and php). So I would leave the tcp_out setting of CSF original.
So you do not need to implement the block/iptables of DA. There is a chance it will overwrite rules created by csf, or maybe not, but CSF is handling it already in a better (or rather said more extended) way.

If you're running Centos and Roundcube webmail, you could check /var/www/html/roundcube/logs/sendmail which contains logs of send mails via webmail.

If you did not change anything important your exim.conf should be fine, you're even using a newer one then I am (i'm on 4.3.0), so that should be fine.

About CSF I can confirm your settings, local mail will be denied now and will trigger CSF/LFD to generate a report if somebody tries to.
If authenticated mail is used, you also should be able to find things in the logfiles.

Check these to, you can play with the limits:

# This option triggers for external email
RT_RELAY_ALERT = "1"
RT_RELAY_LIMIT = "500"
RT_RELAY_BLOCK = "0"

# This option triggers for email authenticated by SMTP AUTH
RT_AUTHRELAY_ALERT = "1"
RT_AUTHRELAY_LIMIT = "500"
RT_AUTHRELAY_BLOCK = "0"

# This option triggers for email sent via /usr/sbin/sendmail or /usr/sbin/exim
RT_LOCALRELAY_ALERT = "1"
RT_LOCALRELAY_LIMIT = "500"

# This option triggers for email sent via a local IP addresses
RT_LOCALHOSTRELAY_ALERT = "1"
RT_LOCALHOSTRELAY_LIMIT = "500"

Normally the auth_relay is higher but you can set them to 500 like in this example, or a bit lower. CSF/LFD will not block setup like this, so real users will have no problems. But you will get an warning from CSF/LFD if a spammer is spamming more then 500 mails.

 

[ozgurerdogan]

I wanted to blcok outgoing port 25 as John suggested. But when removing it from csf, mail send and recieve does not work.

I set SMTP_ALLOW_LOCAL=0 to force php script / malwares to use exim smtp auth so I can track them. I also disabled php mailsend function. So I tell my client to use smtp auth when sending mail from php files. Is that ok?

Also one setting in csf that I do not understand:
SMTP_PORTS section, it writes:
"This is a comma separated list of the ports to block. You should list all ports that exim is configured to listen on"

Why should I enter port that exim is listening here to BLOCK them? Why anybody would do that? Exim must listen on some port and if csf blocks them exim can not function? What am I missing here?

 

[Richard G]

I wanted to blcok outgoing port 25 as John suggested. But when removing it from csf, mail send and recieve does not work.

As I said, CSF is already doing that for you. However you can always try the iptables block as John suggested, no hurt in trying.

So I tell my client to use smtp auth when sending mail from php files. Is that ok?

Yes that is OK. In fact since you disabled the rest, this is the only way he will be able to send mail.

Why should I enter port that exim is listening here to BLOCK them?

Yes, the describtion is a bit strange indeed. Exim ports won't be blocked, I've got port 25 in there.
I guess it's so CSF knows what ports is Exim using and are blocked except for Exim traffic. However, in that case the description could be more clear.
Maybe it's best to ask over the the CSF forum.

 

[ozgurerdogan]

Last question; how to name the way spammer uses? He uses socket connection instead of smtp so exim does not log it?

 

[Richard G]

I don't exactly know how he is spamming. We just call it spamming or spamming via php mail of it's done via php mail.
I don't know if there is a special naming for it.

 

[DirectAdmin Support]

Yeah, I don't think there is a specific name for it, but I would call it "sending emails directly to port 25 on remote servers".

Make sure you still have "25" in your daemon_smtp_port setting (remove the # character to activate it again and restart exim).
That controls inbound email, which is not in question at the moment.
If exim doesn't listen on 25, nobody will get email. It's not likely related the issue anyway, as if the "remote port 25 delivery" is being used, exim isn't even being touched at all, so would be completely unrelated to the issue.

I would recommend manually testing your firewall settings. If you login to ssh as "admin" or any other non-root/non-mail user, type:

telnet directadmin.com 25

to ensure you cannot connect. Then try 587 which should work, just for the connection and exim header (then type QUIT). But then test delivery of an email to a remote site, like gmail, so ensure "mail" can still get out, which would use 25... should be open.

Also manually looking at iptables would be good, if you are able to follow each rule, eg:

iptables -nL

ignore the mess of IPs that might be blocked.
Ours looks like this, CSF may be similar, possibly different or more IDs:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           owner UID match 8 tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           owner UID match 0 tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:25
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 reject-with icmp-port-unreachable

John

 

[toml]

If they are bypassing your exim to send spam, you might want to do something like:
lsof |grep TCP |grep -i smtp
over a period of time until you see some process other than exim, then find where that process lives. You may even have to put this command in some sort of loop to find the entry. It will look similar to this:
SOMEPROCESS 3207 mail 7u IPv4 7556258 0t0 TCP YOURSERVER:RANDOMPORT->DESTINATION_SERVER:smtp (ESTABLISHED)

Where SOMEPROCESS is the name of the process that is connected to a remote port 25, YOURSERVER is the name of your server, RANDOMPORT is the local port that the process is writing to and DESTINATION_SERVER is the remote MX server that mail is attempting to be delivered. You can ignore the line that shows that exim is LISTENing to the local port 25. Or if

 

[ozgurerdogan]

This is definitely not exim related otherwise I would find it in exam logs. What I don't understand is, is user creating his own process to send email. When I use remove port 25 from TCP out in csf, there comes problem with email send and receive. So I will try iptables way to block outgoing 25.

 

[Richard G]

When I use remove port 25 from TCP out in csf, there comes problem with email send and receive.

Correct, I told you before you should not remove it otherwise things will not work correctly.

I suggest trying TomL's suggestion, it could be a seperate process, which can be found that way. Is spam still being send out?

 

[ozgurerdogan]

Spam stoppped and probably maldetect found it and removed it which clamav could not. But whatever I do, I can not block outgoing port 25. That kb does not work. Not sure if it is because of csf installed. But I can telnet to outbound fine.
I am using:

iptables -A OUTPUT -m owner --uid-owner mail -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner root -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j REJECT

It might be conflicting with csf but what I really do not understand if why I can not use csf to block outgoing port 25?

 

[ozgurerdogan]

Spam started again.. It is really nightmare. There is nothing in mailqueue / exim/maillog. I am getting awared by hotmail spam complaint mails and after I am in blacklisted. No csf, directadmin alert mail.

 

[Richard G]

To explain something which also works that way in Windows. A virusscanner is designed to find viruses, not malware. In fact viruses are also malware but a trojan is no virus. Some scanners have some signatures to be able to detect some malware, but that is limited.
Maldetect is specialised in finding malware, trojans and malicious scripts. So Clamav won't find everything just as Windows virusscanners won't find everything. On Windows we use tools like Malware Bytes and if it get's harder ADWCleaner to remove malicious stuff. On Linux we luckily have Maldetect.

But I can telnet to outbound fine.

As root user? That's oke, you should be able to telnet out as root user.
Again, you should not block outgoing port 25, it's used to send out mail to other mailservers.
CSF is limiting it to mail and mailman if everything is working as designed so that's fine.

Maybe you were infected by Cryptphp. That is using a filename social.png which is in fact no .png file. If you edit the file you will see php code.
However there are some social.png files which are not trojans.
Cryptphp makes a mail socket which can ben sending out spam.

You could check Maldetect's logfiles to see if and what it has found. I suggest keeping Maldetect on your servers and have it run regularly.

I see it started again. Check for cryptphp, look for social.png files and see if they have php code or have somebody else check your server. Be sure the complaints come from new spam and not from spam already send but only now gets reported.

 

[ozgurerdogan]

Thank you Richard. I hope that hotmail spam report is old. And I set maldetect with a cron. Will see.. Thank you again. I feel like maldetect will have a good success of finding spammer files.

 

[Richard G]

You're welcome.
Maldetect is great, we've got it on all our servers running with cron, checks every day.

Watch out for hacked accounts which an infect with malware again through other files. See keep an eye on all your logs.