Exim under attack?

A

adapter

Well-Known Member
PartnerNOC
Sep 17, 2003
391
0
166
Hi

i have a high server load and it is Exim i have check exmin_mainlog and i see a lot of these message

2005-04-19 12:30:40 H=(mx4.hotmail.com) [196.2.98.198] F=<[email protected]> rejected RCPT <[email protected]>: no such address here
2005-04-19 12:30:40 H=(mx4.hotmail.com) [196.2.98.198] F=<[email protected]> rejected RCPT <[email protected]>: no such address here
2005-04-19 12:30:40 H=(mx4.hotmail.com) [196.2.98.198] F=<[email protected]> rejected RCPT <[email protected]>: no such address here


how can i stop it? what is doing?
 
AndyReed

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
It is very likely that a script is being exploited. Protecting and securing your server is the best thing you can do to stop these Spammers/hackers.
 
G

gahelm

Active Member
Jun 21, 2003
37
0
156
Florida
Chirpy,
I have been using your script and exim acl mods since version 1.0. Worked great! But it isnt working anymore and I cant figure out why. I verified that the mods are still located in the acl section of exim (2nd set of text boxes etc...) the perl script is installed with the proper permissions, the deny file is there, and a symbolic link has been created in cron to run the script. My exim main log which clearly shows a domain being hammered by a dictionary attack never rejects the user, nothing lands in the deny file etc.... My server is being slammed to its knees and I have no idea why this isnt working anymore. Any ideas?
 
R

RickG

Well-Known Member
Feb 28, 2005
238
2
168
North Carolina
... exim main log which clearly shows a domain being hammered by a dictionary attack never rejects the user ...
Click to expand...
gahelm: Is it possible this particular domain has the default address set to :blackhole: instead of :fail: ??

If you are not seeing unknown users being rejected in exim_mainlog this could be the problem. Remember that the dictionary attack scripts will have no impact unless you are using :fail: as the default.

Hope this helps.
 
Last edited:
G

gahelm

Active Member
Jun 21, 2003
37
0
156
Florida
Thanks for the response. I have already checked to confirm that the default for all domains is set to :fail:. This is ppretty weird, I know it's going to be something stupid, I just need to find it soon.
 
chirpy

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Check the ownership of the file /etc/exim_deny.lock, if i is owned by root, delete it, and the ACL script should start working again for you.
 
Last edited:
R

RickG

Well-Known Member
Feb 28, 2005
238
2
168
North Carolina
Hmm ... think its worthwhile looking in the actual domain files under /etc/valiases/ ?

It might be redundant ... but is there any chance the domain being slammed with the dictionary attack is a "parked" domain? If so, I think you'd have to look at the actual domain files under /etc/valiases/ to confirm their default is set to :fail:

You might have already done this ...
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
E Under attack by spammers - need more than only limits returned in Exim Mail Queue on forwarder only messages Email 1
C Understanding exim log Email 4
T Need help understanding this exim_mainlog entry Email 4
cPanelAaronH Reading and Understanding the exim main_log Email 8
B Some incoming emails lost: trying to understand exim logs Email 3
Similar threads
Under attack by spammers - need more than only limits returned in Exim Mail Queue on forwarder only messages
Understanding exim log
Need help understanding this exim_mainlog entry
Reading and Understanding the exim main_log
Some incoming emails lost: trying to understand exim logs
Top Bottom