Stopping a kind of mail bombng attack

[albatroz]

I have noticed this weird behaviour that may be burning my bandwidth...

Look at these lines of my /var/log/exim/mainlog
file

=> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=26455 H=mx1.imr.gm.com [192.85.154.104] X=TLSv1HE-RSA-AES256-SHA:256 C="250 2.0.0 k15LCq64018278 Message accepted for delivery"

It seems like myuser@mydomain is sending emails to [email protected]

However I am almost sure that user is not doing so.

There are a lot of lines like these repeating, so I have the impression that this issue is burning my bandwidth, how can I avoid this?
I have changed the username, but I am not sure if this is working...

 

[SteveK42]

I'm having the exact same issue. Here's some things I see when I do a ps -ef | grep exim:

root 863 1 0 17:48 ? 00:00:00 /usr/sbin/exim -MCS -MCQ 32374 4 -MC remote_smtp mx.mail.rcn.net 207.172.4.98 2 1F5rKv-00050f-EL
root 869 1 0 17:48 ? 00:00:00 /usr/sbin/exim -MCS -MCP -MCQ 32374 4 -MC remote_smtp batch3.csd.uwm.edu 129.89.169.226 2 1F5nR0-0002YG-DV
root 963 1 0 17:49 ? 00:00:00 /usr/sbin/exim -MCS -MCQ 32374 4 -MC remote_smtp mx.mail.rcn.net 207.172.4.98 4 1F5r68-0004Bu-Kl
mail 1059 963 0 17:49 ? 00:00:00 /usr/sbin/exim -MCS -MCQ 32374 4 -MC remote_smtp mx.mail.rcn.net 207.172.4.98 4 1F5r68-0004Bu-Kl
mail 1274 32375 0 17:51 ? 00:00:00 /usr/sbin/exim -q
mail 1314 869 0 17:51 ? 00:00:00 /usr/sbin/exim -MCS -MCP -MCQ 32374 4 -MC remote_smtp batch3.csd.uwm.edu 129.89.169.226 2 1F5nR0-0002YG-DV
mail 1396 863 0 17:52 ? 00:00:00 /usr/sbin/exim -MCS -MCQ 32374 4 -MC remote_smtp mx.mail.rcn.net 207.172.4.98 2 1F5rKv-00050f-EL

Please, I need immediate help with this. It's burned 14% of my monthly bandwidth just today and has slowed down my network speeds horribly.

 

[SteveK42]

I have run a full freshclam and then a complete clamscan of my entire system, nothing is coming up.

 

[nobaloney]

My best guess is that you've got a script somewhere on your domain sending email; probably a script with a vulnerabiity that lets spammers inject email addresses.

Find your form-to-email page and disable it, and see if that stops the outgoing email.

(It may take a while because there could be lots of outgoing email in the exim queue.)

Jeff

 

[gcypher]

What exim version are you guys using ??
i had this problem also on exim 4.43 .. after doing some googling i found that there was a remote exploit for all exim until 4.44 , now what i did to solve this was updating exim to 4.60 which worked great for me

i hope this helps

cheers