Strange spam through my server

remikk · Nov 24, 2014

Hi
First sorry for my english.
A few days ago I had a problem with spam which sending through my mail server.
Example from log:

Code:

2014-11-20 16:35:34 1XrTld-0003B6-Kn <= [email protected] H=mail.expertmail126.co.uk (mail.longlife-fabrics.pl) [23.95.52.123] P=esmtp S=574 T="Venda suas Milhas Aereas com Seguranca." from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2014-11-20 16:35:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XrTld-0003B6-Kn
2014-11-20 16:35:36 1XrTld-0003B6-Kn => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mx1.hotmail.com [65.55.37.72] X=TLSv1:AES256-SHA:256 C="250 <[email protected]> Queued mail for delivery"
2014-11-20 16:35:36 1XrTld-0003B6-Kn -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mx1.hotmail.com [65.55.37.72] X=TLSv1:AES256-SHA:256 C="250 <[email protected]> Queued mail for delivery"
2014-11-20 16:35:37 1XrTld-0003B6-Kn => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mta5.am0.yahoodns.net [98.136.216.25] X=TLSv1:RC4-SHA:128 C="250 ok dirdel"
2014-11-20 16:35:39 1XrTld-0003B6-Kn => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mx3.hotmail.com [207.46.8.167] X=TLSv1:AES256-SHA:256 C="250 <[email protected]> Queued mail for delivery"
2014-11-20 16:35:39 1XrTld-0003B6-Kn -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mx3.hotmail.com [207.46.8.167] X=TLSv1:AES256-SHA:256 C="250 <[email protected]> Queued mail for delivery"
2014-11-20 16:35:40 1XrTld-0003B6-Kn => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mx3.bol.com.br [200.147.36.13] C="250 2.0.0 Ok: queued as 3jk4j75wnLzKLKBv"
2014-11-20 16:35:41 1XrTld-0003B6-Kn => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mx4.hotmail.com [65.55.37.104] X=TLSv1:AES256-SHA:256 C="250 <[email protected]> Queued mail for delivery"
2014-11-20 16:35:41 1XrTld-0003B6-Kn -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mx4.hotmail.com [65.55.37.104] X=TLSv1:AES256-SHA:256 C="250 <[email protected]> Queued mail for delivery"
2014-11-20 16:35:41 1XrTld-0003B6-Kn -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mx4.hotmail.com [65.55.37.104] X=TLSv1:AES256-SHA:256 C="250 <[email protected]> Queued mail for delivery"
2014-11-20 16:35:41 1XrTld-0003B6-Kn -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=591 H=mx4.hotmail.com [65.55.37.104] X=TLSv1:AES256-SHA:256 C="250 <[email protected]> Queued mail for delivery"
2014-11-20 16:35:41 1XrTld-0003B6-Kn Completed

After this my server was blacklisted.

H=mail.expertmail126.co.uk (mail.longlife-fabrics.pl) [23.95.52.123] :

mail.longlife-fabrics.pl this domain is on my server but 23.95.52.123 is not my IP address. In () I've seen others domains.

First I tried suspend every account in DA. But still spam was sending. I found troubleshooting http://help.directadmin.com/item.php?id=360 So I changed limit_unknown to 1 and spam was stopped. In my queue every message was frozen but still I had attack.
Only one thing help me. I blocked subnet which was sending spam on my firewall.

I'd like to ask how I could prevent before this? I don't have open relay. I use exim4.80.1 and Spamblocker 4.1.
Put limit_unknown to 1 or another number is not good solution because if limit is used then forwarders not working.

remikk · Nov 24, 2014

Today I have one more host which send through my server
This is header

Code:

1Xst8g-0002sX-8j-H
mail 8 8
<[email protected]>
1416833590 0
-helo_name mail.eko24.pl
-host_address 23.92.60.66.65392
-interface_address 91.227.88.22.25
-received_protocol esmtp
-body_linecount 35
-max_received_linelength 119
-host_lookup_failed
YY [email protected]
YY [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
10
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

187P Received: from [23.92.60.66] (helo=mail.eko24.pl)
	by da3.softgroup.pl with esmtp (Exim 4.80.1)
	(envelope-from <[email protected]>)
	id 1Xst8g-0002sX-8j; Mon, 24 Nov 2014 13:53:10 +0100
048F From: "Gerador de sistemas" <[email protected]>
061  Subject: Crie programas e sistemas mesmo sem saber programar
033T To: [email protected]
025  Content-Type: text/plain
037R Reply-To: [email protected]
038  Date: Mon, 24 Nov 2014 12:53:13 +0000
077  X-Antivirus-Scanner: Seems clean.  You should still use an Antivirus Scanner

Richard G · Nov 24, 2014

Looks a bit like authenticated mail but info is missing, this means probably the password of the account is hacked.
This could be caused by malware on a computer which makes use of the email account(s).

Do you have these lines under log_selector in eximc.conf? If not, add them:

Code:

+connection_reject \
+address_rewrite \
+all_parents \
+arguments \

You can't always prevent those things. It happens a lot that malware hijacks email passwords. Next to that hundreds of bruteforces are taking place on email and ftp accounts so using a good firewall like CSF/LFD is a must.
But even then... when a user uses a malicious or leak script for his Joomla or Wordpress installation, it still can happen that spam originates from your server.
The trick is to discover it as soon as possible and stop it.

remikk · Nov 25, 2014

I've added and turn off firewall for a moment. Spam started but I don't see diference

Code:

1XtANQ-0000eD-Ih-H
mail 8 8
<[email protected]>
1416899852 0
-helo_name 227.88.22
-host_address 198.143.128.157.4049
-interface_address 91.227.88.22.25
-received_protocol smtp
-body_linecount 41
-max_received_linelength 130
-host_lookup_failed
YY [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
YY [email protected]
NY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
10
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

187P Received: from [198.143.128.157] (helo=227.88.22)
	by da3.softgroup.pl with smtp (Exim 4.80.1)
	(envelope-from <[email protected]>)
	id 1XtANQ-0000eD-Ih; Tue, 25 Nov 2014 08:17:33 +0100
078F From: Sucatas!Residuos! =?ISO-8859-1?Q?=C9?= Fim de Ano! <[email protected]>
075  Subject: Limpamos Sua Empresa =?ISO-8859-1?Q?C/Pre=E7o?= Baixo e Qualidade
028T To: [email protected]
025  Content-Type: text/plain
031R Reply-To: [email protected]
050  Disposition-Notification-To: [email protected]
038  Date: Tue, 25 Nov 2014 05:17:41 -0200
077  X-Antivirus-Scanner: Seems clean.  You should still use an Antivirus Scanner

Eureka · Nov 25, 2014

Did you restart exim after adding those lines?

# /etc/init.d/exim restart

remikk · Nov 25, 2014

Yes, I did.

Richard G · Nov 26, 2014

Maybe a some trojan with it's own smtp server or something like that.
Try this command from SSH and see if it gives you any clues:

Code:

lsof -i | grep smtp

Have you installed and run Maldetect?

remikk · Nov 27, 2014

198.143.128.0/24 # spammer
216.170.115.0/24 # spammer
177.189.212.0/24 #spammer
23.95.52.0/24 # spammer
198.143.150.0/24 # spammer
23.95.88.0/24 # spammer

These subnet send spam through my server. So I blocked on firewall. But I don't know how long. Maldetect not show me anything.

Code:

lsof -i | grep smtp
exim      11009     mail    9u  IPv4 39714201      0t0  TCP da3.softgroup.pl:smtp->mail-db3on0065.outbound.protection.outlook.com:60566 (ESTABLISHED)
exim      11009     mail   10u  IPv4 39714201      0t0  TCP da3.softgroup.pl:smtp->mail-db3on0065.outbound.protection.outlook.com:60566 (ESTABLISHED)
exim      11147     mail    9u  IPv4 39715352      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:3203 (ESTABLISHED)
exim      11147     mail   10u  IPv4 39715352      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:3203 (ESTABLISHED)
exim      11149     mail    9u  IPv4 39715369      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:3895 (ESTABLISHED)
exim      11149     mail   10u  IPv4 39715369      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:3895 (ESTABLISHED)
exim      11151     mail    9u  IPv4 39715384      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:60528 (ESTABLISHED)
exim      11151     mail   10u  IPv4 39715384      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:60528 (ESTABLISHED)
exim      11153     mail    9u  IPv4 39715401      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->mail.expertmail126.co.uk:2291 (ESTABLISHED)
exim      11153     mail   10u  IPv4 39715401      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->mail.expertmail126.co.uk:2291 (ESTABLISHED)
exim      11154     mail    9u  IPv4 39715407      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:63481 (ESTABLISHED)
exim      11154     mail   10u  IPv4 39715407      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:63481 (ESTABLISHED)
exim      11155     mail    9u  IPv4 39715413      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:3918 (ESTABLISHED)
exim      11155     mail   10u  IPv4 39715413      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:3918 (ESTABLISHED)
exim      11158     mail    9u  IPv4 39715454      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:4817 (ESTABLISHED)
exim      11158     mail   10u  IPv4 39715454      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:4817 (ESTABLISHED)
exim      11159     mail    9u  IPv4 39715462      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:63521 (ESTABLISHED)
exim      11159     mail   10u  IPv4 39715462      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:63521 (ESTABLISHED)
exim      11160     mail    9u  IPv4 39715468      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:60081 (ESTABLISHED)
exim      11160     mail   10u  IPv4 39715468      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:60081 (ESTABLISHED)
exim      11161     mail    9u  IPv4 39715474      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:4639 (ESTABLISHED)
exim      11161     mail   10u  IPv4 39715474      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:4639 (ESTABLISHED)
exim      11176     mail    3u  IPv6 39715582      0t0  TCP *:smtp (LISTEN)
exim      11176     mail    4u  IPv4 39715583      0t0  TCP *:smtp (LISTEN)
exim      11176     mail    5u  IPv6 39715584      0t0  TCP *:ssmtp (LISTEN)
exim      11176     mail    6u  IPv4 39715585      0t0  TCP *:ssmtp (LISTEN)
exim      11230     mail    9u  IPv4 39715679      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:1161 (ESTABLISHED)
exim      11230     mail   10u  IPv4 39715679      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:1161 (ESTABLISHED)
exim      11231     mail    9u  IPv4 39715689      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:4785 (ESTABLISHED)
exim      11231     mail   10u  IPv4 39715689      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:4785 (ESTABLISHED)
exim      11232     mail    9u  IPv4 39715697      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:4797 (ESTABLISHED)
exim      11232     mail   10u  IPv4 39715697      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:4797 (ESTABLISHED)
exim      11233     mail    9u  IPv4 39715703      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:1051 (ESTABLISHED)
exim      11233     mail   10u  IPv4 39715703      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:1051 (ESTABLISHED)
exim      11239     mail    9u  IPv4 39715760      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:63733 (ESTABLISHED)
exim      11239     mail   10u  IPv4 39715760      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:63733 (ESTABLISHED)
exim      11240     mail    9u  IPv4 39715766      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:63736 (ESTABLISHED)
exim      11240     mail   10u  IPv4 39715766      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:63736 (ESTABLISHED)
check_smt 11243   nagios    3u  IPv4 39715801      0t0  TCP localhost:37793->localhost:smtp (ESTABLISHED)
exim      11245     mail    9u  IPv4 39715802      0t0  TCP localhost:smtp->localhost:37793 (ESTABLISHED)
exim      11245     mail   10u  IPv4 39715802      0t0  TCP localhost:smtp->localhost:37793 (ESTABLISHED)
check_smt 11247   nagios    3u  IPv4 39715830      0t0  TCP localhost:37794->localhost:smtp (ESTABLISHED)
exim      11248     mail    9u  IPv4 39715831      0t0  TCP localhost:smtp->localhost:37794 (ESTABLISHED)
exim      11248     mail   10u  IPv4 39715831      0t0  TCP localhost:smtp->localhost:37794 (ESTABLISHED)
exim      11344     mail    9u  IPv4 39716696      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:2056 (ESTABLISHED)
exim      11344     mail   10u  IPv4 39716696      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:2056 (ESTABLISHED)
exim      11347     mail    9u  IPv4 39716721      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:60947 (ESTABLISHED)
exim      11347     mail   10u  IPv4 39716721      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->177-189-212-226.dsl.telesp.net.br:60947 (ESTABLISHED)
exim      11349     mail    9u  IPv4 39716737      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->216.170.115.193:cisco-sccp (ESTABLISHED)
exim      11349     mail   10u  IPv4 39716737      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->216.170.115.193:cisco-sccp (ESTABLISHED)
exim      11350     mail    9u  IPv4 39716742      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:2441 (ESTABLISHED)
exim      11350     mail   10u  IPv4 39716742      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:2441 (ESTABLISHED)
exim      11351     mail    9u  IPv4 39716749      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:1281 (ESTABLISHED)
exim      11351     mail   10u  IPv4 39716749      0t0  TCP da3.softgroup.pl:smtp->larissa.server.com:1281 (ESTABLISHED)
exim      11354     mail    9u  IPv4 39716761      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:1285 (ESTABLISHED)
exim      11354     mail   10u  IPv4 39716761      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:1285 (ESTABLISHED)
exim      11355     mail    9u  IPv4 39716780      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:1311 (ESTABLISHED)
exim      11355     mail   10u  IPv4 39716780      0t0  TCP host-91-227-88-22.softgroup.pl:smtp->larissa.server.com:1311 (ESTABLISHED)

Richard G · Nov 27, 2014

Try updating maldetect again, it seems since last night it also detects Cryptophp which is at this moment widely used to spam via a png file.

Next to that you can also use a tool Fox-IT developped to detect Cryptophp infections:
A collegue said you could run it like this:

Code:

wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py
wget https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_url.py
chmod 775 ./check_filesystem.py
chmod 775 check_url.py
./check_filesystem.py /home
./check_url.py --verbose site.com

DirectAdmin Support · Nov 27, 2014

As I don't see an auth for exim, the auth was probably done with dovecot, and they're relying on da-popb4smtp.
You could disable it to tighten the security, and make tracking easier:
http://help.directadmin.com/item.php?id=467

Check:
/var/log/maillog*
for that IP address, so see how they're logging in.

Check:
Admin Level -> Brute Force Monitor

Chances are, they've either brute forced their way to figuring out the password, or else they were able to nab the password using a network attack (packet monitoring on unsecured connections)
Using SSL/TLS for all mail connections is very important.

If you don't have an actively blocking firewall, install one:
http://help.directadmin.com/item.php?id=527

John

remikk · Nov 27, 2014

John

Thanks for your reply. I've changed exim.conf from your first link. Also check /var/log/mail.log for spammer IP address. But I didn't find.

I have CSF but if I put modification about smtpauth it doesn't work for these IP, they not block. I think they don't use auth.

Richard

I used ./check_filesystem.py /home but no result
I put for some potential domains

Code:

./check_url.py --verbose http://www.stiga.pl
Checking 'http://www.stiga.pl' ..: POSSIBLE CRYPTOPHP DETECTED
 * Normal request yielded 60 urls, Webcrawler request yielded 61 urls. (0 suspicous links)
  - sklep/kosiarki/spalinowe_4_w_1/combi_48_sq_b_1780.html
  - sklep/kosiarki_zabawki/traktor_zabawka.html
  - sklep/urzadzenia_wielofunkcyjne/silex_95_h.html
  - sklep/traktory_ogrodowe_2/traktory_ogrodowe_z_centralnym_agregatem_tnacym/traktory_ogrodowe_z_koszem/estate_royal_-_zestaw_ze_szczotka_zamiatajaca.html
  - sklep/odsniezarki/odsniezarki_spalinowe/st_3256_p.html
  - sklep/traktory_ogrodowe_2/traktory_ogrodowe_z_centralnym_agregatem_tnacym/traktory_ogrodowe_z_koszem/estate_7122_hws.html
  - koszyk/dodaj/estate_7122_hws.html
  - sklep/glebogryzarki/src_550_b.html
  - sklep/traktory_ogrodowe_2/kosiarki_samojezdne/park/park_prestige_4wd_z_agregatem_95_combi_i_plugiem_120_cm.html
  - sklep/kosiarki/spalinowe_4_w_1/turbo_53_se4q_b.html
  - sklep/sekatory/elektryczne_218/sgs_60_li_-_nozyce_akumulatorowe.html
  - sklep/kosiarki_elektryczne/combi_44_e.html
  - sklep/odsniezarki/odsniezarki_spalinowe/st_3255_p.html
  - sklep/odsniezarki/odsniezarki_spalinowe/snow_hunter.html
  - sklep/kosiarki/spalinowe_z_koszem/combi_48_b.html

Code:

./check_url.py --verbose http://www.eko24.pl
Checking 'http://www.eko24.pl' ..: POSSIBLE CRYPTOPHP DETECTED
 * Normal request yielded 120 urls, Webcrawler request yielded 120 urls. (0 suspicous links)
  - http://www.eco24.pl/
  - http://e-odpady.com/wps/portal/
  - /article/read/show/article/225
  - http://www.prawoochronysrodowiska.com.pl
  - http://www.eco24.pl
  - /article/read/show/article/200

So it is only possible cryptophp.
But If I scan by maldet this folder I didn't find anything.

If I suspend this account then spammer still send through my server.

Richard G · Nov 27, 2014

Phew... that's a good one. If they still are running spam, the suspended accounts are not the correct ones or not the only ones.
Oke, I presume you are running php 5.3 or better?
If no cryptophp is discovered and maldetect did not detect any other malware it's hard to tell what is going on.

Check your mail queue for returning messages, then open them and look in the headers if you can find something which looks like:
X-PHP-Originating-Script
in the header. This might point to the file which is abused.

If you can't find it, you can probably best suspend a couple of accounts, wait 2 minutes, see if mails still gets out, if yes, unsuspend en try the next few.

However, if it's a script, and you set SMTP_ALLOWLOCAL = "0" (and restart csf and lfd) and mail is still send out, they are probably using authenticated mail. You should be able to see if it's authenticated after the exim.conf changes.
If mail stops when changing this CSF setting, it's almost certainly a script.

remikk · Nov 28, 2014

No X-PHP-Originating-Script.
I use PHP 5.3. If I set SMTP_ALLOWLOCAL="0" and unblock these IPs on firewall, they still send spam.
Last time, I suspend every account and wait 15 minutes and still send spam.

DirectAdmin Support · Nov 29, 2014

I found that the /etc/virtual/whitelist_domains file had:

Code:

google.com
gmail.com

so any incoming email, either local or relayed, wouldn't need to authenticate if they had either of those domains as the sender domain address.

John

SeLLeRoNe · Nov 29, 2014

Sorry John, but i've a question

If i put a domain in whitelist_domains means that an email (local or remote) where the sender is set to that domain isnt checked?

If so, what i can use to skip rbl check on inocming email from specified domains?

Regards

nobaloney · Nov 29, 2014

Whitelists run first, and accept the email. At that point no blocklist checks them. If I had it all to do over again I likely wouldn't even have whitelist_senders or whitelist_domains lists.

I recommend only using them temporarily while trying to resolve a problem.

Otherwise best to figure out the sending server (unfortunately not always the same as the mx server) and putting it into whitelist_hosts or put the IP# into whitelist_hosts_ip.

Of course you need to know the hostname to whitelist. That's the reason I originally st up a whitlisted incoming email address for people to write me when their email was being blocked (see Edit#37 in my version of SpamBlocker exim.conf 4.2.3), so people could write me and I could see their server name and/or IP#.

While that won't work reliably for large senders with multiple outgoing servers (google, yahoo, hotmail) the larger senders generally either publish or will send you their list of outgoing servers if you want to whitelist them.

Jeff

SeLLeRoNe · Nov 29, 2014

That's exectly the problem Jeff,

a "skip_rbl_list" for external domain would be nice for big provider you menthioned...

Since the list of MX server does change a lot, and big provider doesnt tell you about those change and neither fix their host from RBL's fast.. and since my customer are a pain in the *** because they pretend to dont block gmail for example... i do use to put those big name in that file.. but.. if that file is used to dont ask/block outgoing email with fake email so that should be an issue...

I'm not sure i was enough clear, i hope so, if i wasnt, let me know and i'll try to explain myself better.

Regards

remikk · Nov 30, 2014

Thanks. I’ve added gmail.com. I do it wrong because it should be in /etc/greylist/whitlist_domains

After modification now I have only attack from these IP but they cannot send. Only many lines like that

Code:

014-11-30 11:35:10 H=(227.88.20) [177.189.212.226] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-11-30 11:35:10 H=(227.88.20) [177.189.212.226] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-11-30 11:35:10 H=(227.88.20) [216.170.115.193] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-11-30 11:35:10 H=(227.88.20) [177.189.212.226] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-11-30 11:35:38 H=(227.88.22) [177.189.212.226] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-11-30 11:35:38 H=(227.88.22) [23.95.88.106] incomplete transaction (sync failure) from <[email protected]>
2014-11-30 11:35:38 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "Subject: A GVT tem uma oferta para voce!" H=(227.88.22) [23.95.88.106] next input="To: [email protected]\r\nContent-Type: text/html\r\nDate: Sun, 30 Nov 2014 05:35:00 -0500\r\nX-Priority: 1\r\n\r\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4"
2014-11-30 11:35:38 H=(mail.eko24.pl) [177.189.212.226] incomplete transaction (sync failure) from <[email protected]>
2014-11-30 11:35:38 SMTP protocol synchronization error (next input sent too soon: pipelining was advertised): rejected "Subject: Plano LD Nacional com Iphone 5S!" H=(mail.eko24.pl) [177.189.212.226] next input="To: [email protected]\r\nContent-Type: text/html\r\nDate: Sun, 30 Nov 2014 08:35:29 -0200\r\nX-Priority: 1\r\n\r\n<html>\r\n<head>\r\n<meta http-equiv="Con"

I block in firewall.

nobaloney · Nov 30, 2014

SeLLeRoNe said:
I'm not sure i was enough clear, i hope so, if i wasnt, let me know and i'll try to explain myself better.

I'm not sure I'd whitelist by sender or From domain name even for the big providers; too many spambots and comparomised machines use from addresses at those email services just to hope they'll get through. With your idea, they will.

But I remember someone recommended a change to exim.conf which would allow wild cards in whitelist_hosts and then you could use *google.com and *gmail.com and whitelist all those servers.

Jeff

SeLLeRoNe · Nov 30, 2014

That's would be definitly better Jeff, i thot that whitelist_domain was doing to allow everyhost of a domain, so, *gmail.com for example...

Since is not that way, i totally agree that should not be that fine since is not incoming-server related, so, a wildcard for whitelist_host would definitly solve this

Regards

Strange spam through my server

Verified User

Verified User

Verified User

Verified User

Verified User

Verified User

Verified User

Verified User

Verified User

Administrator

Verified User

Verified User

Verified User

Administrator

Super Moderator

NoBaloney Internet Svcs - In Memoriam †

Super Moderator

Verified User

NoBaloney Internet Svcs - In Memoriam †

Super Moderator