Bug in Exim SMTP sending spam with mail.microsoft.com

[wimp]

I saw that Anyone can send out e-mails with smtp= mail.microsoft.com from my CPanel servers.

Normally, befor snding e-mails trough your account (using mail.mydomain.com) you have to autentication yourselve by userID and PW eg. downloading e-mails.
False!

It works also without prior authentication. In this way Ayone on the world can use your server to sending spam.
For eg. he can set: mail.microsoft.com, mail.fbi.com, mail cpanel.net etc.

I note this on different CPanel server... Seems that is a bug..
Can anyone else give them a look on his server and confirm?

thanks


cPanel.net Support Ticket Number:

[Angel78]

which build are you using?

[wimp]

Cpanel 6.4.2-R5

cPanel.net Support Ticket Number:

[uadm]

I don't understand what you're talking about:

telnet cpanel.server.com 25
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.com.
Escape character is '^]'.
220-xxx.xxx.com ESMTP Exim 3.36 #1 Tue, 20 May 2003 11:43:09 -0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
mail from: rcs@mail.microsoft.com
250 <rcs@mail.microsoft.com> is syntactically correct
rcpt to: rcs@somedomain.com
550-Host xxx.org [xxx.xxx.xxx.xxx] is not permitted
550-to relay through xxx.xxx.com.
550-Perhaps you have not logged into the pop/imap server in the last 30 minutes.550-You may also have been rejected because your ip address
550-does not have a reverse DNS entry.
550 relaying to <rcs@somedomain.com> prohibited by administrator

cPanel.net Support Ticket Number:

cPanel.net Support Ticket Number:

[rpmws]

virus !!! reply address is support@ms and exim is trying to return it there becuase it stopped it from making it to your users.

cPanel.net Support Ticket Number:

[Website Rob]

Just your usual Spam -- with an un-acceptable attachment; exe, pif, scr, etc -- having 'support@microsoft.com' as the Sender eMail address. As these type eMails are bounced back to the Sender, Microsoft does not accept them either -- also because of the un-acceptable attachment -- and sends them back. This means they come back to your Server, of course.

Here are some I received today and the "Received" line is how you tell where they came from:

Received: from d141-143-123.home.cgocable.net ([24.141.143.123] helo=PUMPED)
by your_server.com with esmtp (Exim 3.36 #1)

Received: from ctt187190.ceinetworks.com ([216.169.187.190] helo=CATHY-B)
by your_server.com with esmtp (Exim 3.36 #1)

Received: from hsa150.pool033.at101.earthlink.net ([216.249.102.150] helo=3F3ZL01)
by your_server.com with esmtp (Exim 3.36 #1)

Received: from aneuilly-109-1-19-204.w81-53.abo.wanadoo.fr ([81.53.73.204] helo=FREE)
by your_server.com with esmtp (Exim 3.36 #1)


Just started seeing these myself, since the Cpanel update (to Cpanel 6.4.2-E3) a few days ago.


Also, it is incorrect to think there is a problem with Cpanel or Exim. There is no security being breached in this problem.

You'll note where it says:

"A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

<eMail_address_for_an_account_on_your_Server>
This message has been rejected because it has"


Please remember to know what you are talking about (before suggesting something is a bug or security problem) and, it's always nice to have have done some testing on your own, to better explain the problem. This will allow others to give better answers and prevents the spread of false information.

cPanel.net Support Ticket Number:

[rpmws]

It's a virus. why would I lie?

http://www.trendmicro.com/vinfo/viru...e=WORM_PALYH.A

cPanel.net Support Ticket Number:

[Website Rob]

Originally posted by rpmws
It's a virus. why would I lie?

http://www.trendmicro.com/vinfo/viru...e=WORM_PALYH.A

cPanel.net Support Ticket Number:

Yes, it is a virus and my post was directed to wimp and those that make the type of posts, as the one starting this thread.

cPanel.net Support Ticket Number:

[noimad1]

Sorry for my ingorance, but I am also seeing these in my mail que. Here is part of an example of one that has the support@microsoft.com:

19ILB1-000051-00-D
This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

xoles@xolesfishies.com
This message has been rejected because it has
a potentially executable attachment "password.pif"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path:
Received: from h24-71-148-169.ss.shawcable.net ([24.71.148.169] helo=CAKE)
by server1.com with esmtp (Exim 3.36 #1)
id 19ILAy-00004z-00
for xoles@xolesfishies.com; Tue, 20 May 2003 23:26:04 -0500


Does this mean the message is being sent from our box, or comming to our box and getting bounced, but comming back to us becuase the return mail is support@interxstream.com?

If it is the second, the I am assuming I can just need to delete the returned message out of my que?

Thanks

cPanel.net Support Ticket Number: