Need ACL for Spam Scenario: receiving Spam from local mail accounts

[fenixer]

Hello....

I am trying to find a sollution (via ACL) for a new Spam Scenario which is breaking since a week ago.

Spam Scenario: receiving emails to a local mail account, by example, local@mail-account.tld, but From is also local@mail-account.tld.......... the emails obviously are being sent using an external MTA (coming from the WAN)....

It is completely non-sense Exim receiving mails from X to X being X a local account, and being the from-host external......

Well, I have to find the ACL which:

- If email is not being received from localhost
- if domain is local
- if host is not at relaylist (client is sending emails using SMTP auth)

(and optional I guess, although is may not be neccesary)
- if mail from is the same as mail to

- simple...... the email is denied.

I am not an expert at exim ACL-ing, but I will try to get this rules working as soon as possible....... When I do, I will publish here.

This post is for someone could help me somehow... thanks in advance...

[fenixer]

Maybe something like this???????

Having this lists:

domainlist rbl_bypass = lsearch;/etc/rblbypass (local domains excluded for filtering)
hostlist rbl_whitelist = /etc/relayhosts : /etc/rblwhitelist (excluded for filtering)
domainlist rbl_whitesenderlist = partial-lsearch;/etc/rblwhitelist (excluded for filtering)

........... just under senderverifying ACLs...........

deny message = IMPERSONATE error: you cannot be me.
log_message = IMPERSONATE error: cannot be "$sender_address" because thats me!
!hosts = : +relay_hosts : +rbl_whitelist : localhost : localhost.localdomain : 127.0.0.1
!authenticated = *
!senders = ^.*-request@.*:^bounce-.*@.*:^.*-bounce@.*:^owner-.*@.*:\
^listmaster@.*:^root@.*:^anonymous@.*:^nobody@.*
!domains = +rbl_bypass
!sender_domains = +rbl_whitesenderlist
sender_domains = +local_domains

Do you think it is good for the case and will not affect others than spam being sended using local mail addresses????

[duranduran]

I have same problem Here. See:

1Mp4JR-0006yY-AQ-H
mailnull 47 12
<>
1253383533 0
-ident mailnull
-received_protocol local
-body_linecount 57
-max_received_linelength 339
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
libro@tecniciencia.com

157P Received: from mailnull by MYSERVERHOSTNAME with local (Exim 4.69)
id 1Mp4JR-0006yY-AQ
for libro@tecniciencia.com; Sat, 19 Sep 2009 15:05:33 -0300
045 X-Failed-Recipients: oyefi2000@school.edu.ru
029 Auto-Submitted: auto-replied
068F From: Mail Delivery System <Mailer-Daemon@MYSERVERHOSTNAME>
027T To: libro@tecniciencia.com
059 Subject: Mail delivery failed: returning message to sender
057I Message-Id: <E1Mp4JR-0006yY-AQ@MYSERVERHOSTNAME>
038 Date: Sat, 19 Sep 2009 15:05:33 -0300

Data spool file

1Mp4JR-0006yY-AQ-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

oyefi2000@school.edu.ru
The mail server could not deliver mail to oyefi2000@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.

------ This is a copy of the message, including all the headers. ------

Return-path: <libro@tecniciencia.com>
Received: from localhost ([127.0.0.1]:57675 helo=MYSERVERHOSTNAME)
by MYSERVERHOSTNAME with smtp (Exim 4.69)
(envelope-from <libro@tecniciencia.com>)
id 1Mp4JQ-0006xm-MZ
for oyefi2000@school.edu.ru; Sat, 19 Sep 2009 15:05:32 -0300
Date: Sat, 19 Sep 2009 15:05:32 +0300
To: <oyefi2000@school.edu.ru>
Reply-To: <libro@tecniciencia.com>
From: <libro@tecniciencia.com>
Subject: èíòåëëåêòóàëû
Message-ID: <01CA3953.14336732@MYSERVERHOSTNAME>
X-Priority: 3 (Normal)
Content-Type: multipart/alternative;
boundary="----01CA396C302F2FE1"
X-ACL-Warn: {

------01CA396C302F2FE1
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: 8bit


This is sending by a spammer script in my server, but where and who ?
This is a Bounce message.

[rodstewart]

Hello....

We have had the same problem for few weeks.

You should check for cgi skript.
In most cases the spammers have transferred over ftp the cgi script after that they run the script and after that the deleted it.

So please check your logs for suspect cgi upload at the time (19 Sep) the email was send from your server.

normally you should only check in /var/log/messages

Code:

cat /var/log/messages |grep UPLOAD

If you found a suspect script take a look on all activities of that user

Code:

cat /var/log/messages |grep pure-ftpd |grep cpanelusername

Additional:
To list all running cgi processes run

Code:

ps auxwf | grep cgi

If that not help you feel free to contact me.
regards
Sven