logs archiveIRC Archive / Freenode / #exim / 2010 / February / 26 / 1
heh, fixed my issue; I kept trying to send to my personal e-mail address, not realizing that Exim had it in its virtual domains list (even though the MX records didn't point to it) so it kept rejecting my mail since the accounts weren't on the server
so fixed it by disabling that, now the mail is delivered properly
stupid, stupid, stupid, I know, but yeh.
im wondering how i could use wildcard or regex in exim4 local_sender_blacklist file
or perhaps there is another simple way to block emails
aparently you cant do *hotmail*
only *@hotmail.com
Hi, I'm a little bit confused. I'm running a small exim installation and the last days I got a huge amount of incoming spam mails by a user called admin, authenticated via cram-md5. But i didn't configured any user called admin.
what's your authentication source?
phx: server_secret = ${lookup{$1}lsearch{/etc/exim4/passwd.users}}
check it for an admin user
phx: that's the irritating part of the thing. there is no user admin in that file.
aren't any other auth sources configured
no, that's all (i think). It's a plain debian lenny installation with one exim4.conf file.
Here is an example of the logfile: "1NkDp9-0003oq-D6 <= xqeekcmn5824@yahoo.com.tw H=(nsbjur.com) [] P=esmtpa A=cram:admin S=2824 id=92bea4446ebb46fe8ff8e3e2e66b8bd5@6a343794725b48578f84267d6b5e4d0e"

is it still trying?
you could sniff it for the password (man tcpdump) and run exim in debug mode to see why does it accept the admin user
phx: no, but it was a big problem. in the last 48 hours more then 120,000 delivery attempts.
what i've done for now is to add a use admin into the user list with und long and unusal password. Hope this stops it for the moment.
Despite the fact that the mails came from a user admin that is not configured - how could the spammer now the password?
default debian backdoor? dunno
phx: yeah, maybe. I'll get the source of it
henk: any idea?
i'd know or have servers showing the same behaviour... i'd guess the problem is at layer 8, either in being unable to identify which user databases exim uses or somewhere in the config simply allowing anything if some condition matches.
henk: mmh, i'll do some test with not defined users ...
Okay, just testet. I'm not aible to authenticate as user admin within a mua.
ah, i've just seen in the log that for the time i added a user admin to the user/pwd file this prevented delivery attemps
"cram authenticator failed for (aaaaaa.com) []:1089 I=[]:25: 535 Incorrect authentication data (set_id=admin)
« prev