Exim might be a Open Relay

[CCorderoR]

Hi:

I've been running some tests thought abuse.net system, and i've discovered exim might support relaying...

RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest@domain.com>
<<< 250 OK
>>> RCPT TO:<user-xxxxxxxx%nf.abuse.net@domain.com>
<<< 250 Accepted
>>> DATA
<<< 354 Enter message, ending with "." on a line by itself
>>> (message body)
<<< 250 OK id=1B9U79-0003wb-4U

I've received the e-mail:

This is a test of third-party mail relay, generated via the
Network Abuse Clearinghouse at http://www.abuse.net.

Target host = domain.com [xx.xx.xx.xx]
Test performed by <xxx@domain.com> from xx.58.x.48

A well-configured mail server should NOT relay third-party email.
Otherwise, the server is subject to abuse by vandals and spammers,
and probable blacklisting by recipients of the unwanted third-party
e-mail.

For information on how to secure a mail server against third-party
relay, visit <URL: http://www.mail-abuse.org/tsi/>.

I would like to know if this error is already known and if somebody knows how to block relay thought this method.

Regards,
Carlos

[xsenses]

I tested with the anonymous test and my server passed all 12 tests it tried.

[CCorderoR]

Hi:

I've been checking again and i discovered that spam might only be sent to the local users, so... nothing important

Regards,
Carlos

[keyDet79]

Well, I didn't try this yet on my server but this might be a serious bug since I think someone already abused this on one of our servers.

Luckily the Mail Statistics in WHM display 'Top 50 sending hosts by message count' - if there is any abnormal behaviour you can just block the IPs of the domains used to send this spam. Since I did this I noticed I no longer have huge peaks in the 'received' AND 'delivered' stats list. I had about 2 large peaks a day, along with very high load during their spamming. I definately caught this bastard.