why is my exim an open relay??

[corey_s]

This is really frustrating.

I'm running exim 4.52 on CentOS 3.5, via WHM 10.6.

Our exim is definitely acting as an open relay, but I'm completely stumped as to how to close it.

I've spent an hour googling and searching on these forums, and tried a few things, but nothing that has actualy worked.

Following is evidence:

# telnet my.mailhost.net 25
Trying 69.xx.xxx.x...
Connected to my.mailhost.net.
Escape character is '^]'.
220-my.mailhost.net ESMTP Exim 4.52 #1 Wed, 02 Nov 2005 18:19:23 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
ehlo
250-my.mailhost.net Hello [130.xx.xxx.xx]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: <foo@qwest.net>
250 OK
rcpt to: <bar@excite.com>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
From: foo@qwest.net
To: bar@excite.com
Subject: relay test

relayed! WTF!?

.
250 OK id=1EXTlm-0001rj-3R
quit
221 my.mailhost.net closing connection
Connection closed by foreign host.


As can be seen - I ended up with an email in my excite inbox...

I know postfix and sendmail well - but I have no experience with exim; but I need to close this relay ASAP.


Many thanks!

[chirpy]

What makes you think it's an open relay? That SMTP session doesn't particularly prove anything, because:

1. Are you actually on the server when you do that? You can always relay locally.

or

2. Have you authenticated your IP address within the last 30 minutes by POPing an account on the server? If so, you'll be able to relay email.

[altomarketing2]

What makes you think it's an open relay? That SMTP session doesn't particularly prove anything, because:

1. Are you actually on the server when you do that? You can always relay locally.

or

2. Have you authenticated your IP address within the last 30 minutes by POPing an account on the server? If so, you'll be able to relay email.

Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.
Scan Details
Number of security holes found 0
Number of security warnings found 1
Analysis of Host
Address of Host Port/Service Issue regarding Port
66.98.184.59 general/udp Security notes found
66.98.184.59 ftp (21/tcp) Security notes found
66.98.184.59 mysql (3306/tcp) Security notes found
66.98.184.59 domain (53/tcp) Security notes found
66.98.184.59 http (80/tcp) Security notes found
66.98.184.59 pop3 (110/tcp) Security notes found
66.98.184.59 smtp (25/tcp) Security warning(s) found

Warning smtp (25/tcp)
The remote SMTP server is insufficiently protected against relaying
This means that spammers might be able to use your mail server
to send their mails to the world.

Nessus was able to relay mails by sending those sequences:

MAIL FROM: <nessus@myserver.com.ar>
RCPT TO: <nobody%example.com@myserver.com.ar>

Risk factor : Medium

Solution : upgrade your software or improve the configuration so that
your SMTP server cannot be used as a relay any more.
Nessus ID : 11852


NOW, what should i do to fix it

[chirpy]

What I said still applies. Had you already authenticated from the originating IP of nessus and if not, check the exim_mainlog as it likely rejected the email. Nessus and the like are usually pretty unreliable since they only poke a server from the outside.

[Tao_Man]

go to www.dnsreport.com run your domain, in the output where it tests your email servr if it thinks you have an open relay it will give you a link to some info on what you needs to do. Sorry don't know the direct link as closed my server a long time ago to relay

[altomarketing2]

FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that any....

I WILL TRY TO FIX IT NOW !!!!

news on this post i will include later

[altomarketing2]

i need help
1. my exim queue keeps growing i added all logs to the emails so i can see one for example

1Gc5Mr-0003Fc-UP-H
mailnull 47 12
<>
1161631309 0
-ident mailnull
-received_protocol local
-body_linecount 383
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1161631312
-localerror
XX
1
vvegab@australiamail.com

155P Received: from mailnull by HEREGOESMYSERVER.COM with local (Exim 4.52)
id 1Gc5Mr-0003Fc-UP
for vvegab@australiamail.com; Mon, 23 Oct 2006 16:21:27 -0300
044 X-Failed-Recipients: indem@wrongclietn.com
031 Auto-Submitted: auto-generated
064F From: Mail Delivery System <Mailer-Daemon@HEREGOESMYSERVER.COM>
029T To: vvegab@australiamail.com
059 Subject: Mail delivery failed: returning message to sender
053I Message-Id: <E1Gc5Mr-0003Fc-UP@HEREGOESMYSERVER.COM>
038 Date: Mon, 23 Oct 2006 16:21:26 -0300

1Gc5Mr-0003Fc-UP-D


2. my eximmainlog says

2006-10-26 00:10:43 SMTP connection from [124.168.28.56]:1737 I=[MYIPHERE]:25 (TCP/IP connection count = 6)
2006-10-26 00:10:43 1GcvdF-0007vw-4e => american <american@HEREGOESMYSERVER.COM> F=<pmgsender@returns.pm0.net> P=<pmgsender@returns.pm0.net> R=localuser T=local_delivery S=3488 QT=53s DT=0s
2006-10-26 00:10:43 1GcvdF-0007vw-4e Completed QT=53s.....

or..

2006-10-26 00:17:29 1Gcvke-0008UD-1B <= <> H=(wx-out-0506.google.com) [66.249.82.228]:11371 I=[MYIPHERE]:25 P=esmtp S=2529 T="Delivery Status Notification (Failure)" from <> for nazehoberon@ONEREALDOMAIN.COM
2006-10-26 00:17:29 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Gcvke-0008UD-1B
2006-10-26 00:17:29 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
2006-10-26 00:17:29 SMTP connection from avcsegur
2006-10-26 00:17:31 1Gcvke-0008UJ-8X <= <> U=avcsegur P=local-bsmtp S=2928 T="Delivery Status Notification (Failure)" from <> for avcsegur@HEREGOESMYSERVER.COM
2006-10-26 00:17:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Gcvke-0008UJ-8X


what is cwd=/tmp doing there ??

tmp is secure , according to ALLL forums , isnt it ??

thanks in advance

[chirpy]

There's no such thing as a "secure" /tmp, there's just things you can do to make it more secure than the default configuration, such as mounting it noexec and nosuid.

cwd=/tmp suggests you have a script running in /tmp sending out email. You should check /tmp for suspicious php and perl scripts.

[altomarketing2]

What happens if i just delete all content in tmp in an hour that the server has few visits ?

is there any script to find out which user is sending mailnull or nobody sending emails ?

[mambovince]

is there any script to find out which user is sending mailnull or nobody sending emails ?

What about these solutions from chirpy on cPanel forum:
http://forums.cpanel.net/showthread.php?t=50186

If you want to enable extended logging use the Exim Configuration Editor in WHM and simply add the following to the first text area in Advanced Mode:

log_selector = +all

Or if you want less output and just the essentials, this will usually do instead:

log_selector = +arguments

What it does is provide the context within which a request was made to exim (i.e. CWD) so it usually provides the directory from where the script runs that starts the mail connection. If that is present, you can then go to that folder and track down the PHP script within that directory.

- Vince

[altomarketing2]

OK, i resume what i did to avoid this fuc.. spammer .

1. I read all features and enabled them on whm
2. I found out that my exim log rejects relays that are not my clients, i think...
3. I Installed the cheepy feature in php to detect if an script is sending though my server, i tested it , it works, but i do not detect any spammer like this
4. i installed RBL, SBL and all features about detecting ip from spammers, to avoid them to conect to my server

But i keeps receiving emails that were sent by anyname@mydomain.com , i will copy one here and you will see , that I understand that the original email was sent using my server.

I receive it in my inbox ....I replace MYDOMAINHERE and xx.xx..xx. with MY IP' SERVER

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

drjohn@usash.com
(ultimately generated from 616cc0dc@usash.com)
mailbox is full: retry timeout exceeded

------ This is a copy of the message, including all the headers. ------

Return-path: <gnr@MYDOMAINHERE.com>
Received: from aclermont-ferrand-157-1-16-228.w83-205.abo.wanadoo.fr ([83.205.143.228]:2402)
by enzo.websitewelcome.com with esmtp (Exim 4.52)
id 1Ge8CM-0000bv-Kf
for 616cc0dc@usash.com; Sun, 29 Oct 2006 04:47:27 -0600
Received: from XXX.XXX.XXX.XXX(HELO MYDOMAINHERE.com)
by usash.com with esmtp (HH7I1U8G1 JL487)
id EC7N00-BD83Y1-K1
for 616cc0dc@usash.com; Sun, 29 Oct 2006 10:47:34 -0060
From: "Danielle Beal" <gnr@MYDOMAINHERE.com>
To: <616cc0dc@usash.com>
Subject: Notification
Date: Sun, 29 Oct 2006 10:47:34 -0060
Message-ID: <01c6fb47$a4646310$6c822ecf@gnr>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
Thread-Index: Aca6QMFUDL7VL222RV6EN62GPY2S06==

The accumulation of positions by those in the know has shot
A_U_N_I up 33% in a few short days. We hope you all got in
early like we told you to, and are enjoying your good fortune.
But even if you didn't don't worry because ..........


So, someone is sending though MYIP with noexist@MYDOMAINHERE.COM , but i can not detect them.

I trying putting the domain tha uses to connect to my smtp , in my black list in my server, but he keeps changing it with every email.

When exim sends an email, does not keeps logs about sending if it was ok, it keeps about errors, or only date time on sucessfully sending, right ?

what do you suggest to detect this spammer ?

[altomarketing2]

just running ./fixeverythings .

strange thing since then, my server blocks 4 emails per second. hehe spammers.