logs archiveIRC Archive / Freenode / #exim / 2010 / February / 26 / 1
AndroidData
heh, fixed my issue; I kept trying to send to my personal e-mail address, not realizing that Exim had it in its virtual domains list (even though the MX records didn't point to it) so it kept rejecting my mail since the accounts weren't on the server
so fixed it by disabling that, now the mail is delivered properly
stupid, stupid, stupid, I know, but yeh.
i0x71
im wondering how i could use wildcard or regex in exim4 local_sender_blacklist file
or perhaps there is another simple way to block emails
aparently you cant do *hotmail*
only *@hotmail.com
timfly
Hi, I'm a little bit confused. I'm running a small exim installation and the last days I got a huge amount of incoming spam mails by a user called admin, authenticated via cram-md5. But i didn't configured any user called admin.
phx
what's your authentication source?
timfly
phx: server_secret = ${lookup{$1}lsearch{/etc/exim4/passwd.users}}
phx
check it for an admin user
timfly
phx: that's the irritating part of the thing. there is no user admin in that file.
phx
mhm
aren't any other auth sources configured
?>
timfly
no, that's all (i think). It's a plain debian lenny installation with one exim4.conf file.
Here is an example of the logfile: "1NkDp9-0003oq-D6 <= xqeekcmn5824@yahoo.com.tw H=(nsbjur.com) [121.78.119.27] P=esmtpa A=cram:admin S=2824 id=92bea4446ebb46fe8ff8e3e2e66b8bd5@6a343794725b48578f84267d6b5e4d0e"
         

phx
is it still trying?
you could sniff it for the password (man tcpdump) and run exim in debug mode to see why does it accept the admin user
timfly
phx: no, but it was a big problem. in the last 48 hours more then 120,000 delivery attempts.
what i've done for now is to add a use admin into the user list with und long and unusal password. Hope this stops it for the moment.
Despite the fact that the mails came from a user admin that is not configured - how could the spammer now the password?
phx
default debian backdoor? dunno
timfly
phx: yeah, maybe. I'll get the source of it
henk
no.
timfly
henk: any idea?
henk
i'd know or have servers showing the same behaviour... i'd guess the problem is at layer 8, either in being unable to identify which user databases exim uses or somewhere in the config simply allowing anything if some condition matches.
timfly
henk: mmh, i'll do some test with not defined users ...
Okay, just testet. I'm not aible to authenticate as user admin within a mua.
ah, i've just seen in the log that for the time i added a user admin to the user/pwd file this prevented delivery attemps
"cram authenticator failed for (aaaaaa.com) [120.82.102.162]:1089 I=[85.214.49.145]:25: 535 Incorrect authentication data (set_id=admin)
"
« prev