The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

:fail: is not working for dictionary attack (mail getting stored in exim queue)

Discussion in 'E-mail Discussions' started by qwerty, Dec 28, 2005.

  1. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    I just noticed today that one of our servers had thousands of emails in its queue and it was all random spam to one domain, all of the recepient emails were non existant.

    However the catch-all/default address for the domain is set to ":fail: no such user here" which is supposed to check availability of mailbox and decline delivery (if unavailable) during the smtp connection ...

    But what's happening here is that all these thousands of emails sent to non existant users on this domain are getting stored in my exim queue ...

    Any ideas WHY???? It seems to be only this one domain !! :( It's driving me nuts
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Check the mail headers. :fail: checks the RCPT in the SMTP protocol exchange and not the email header, so if the header is going to a non-existent address, but the Received header has a for pointing to an existing email address it will not fail the RCPT check.

    Also, make sure that the *: :fail: in /etc/valiases/domain.com is correctly formatted and spaced and is the last line in the file.
     
  3. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    Hi Chirpy,

    how do I check what the RCPT is in the SMTP exchange as opposed to email header? All I can see in the mail header is that the 'for' is for a non existant user ...

    The *: :fail: line looks fine in /etc/valiases ..it's the last line and theres no extra spaces etc

    That's what's so weird about it ..it makes no sense :(
     
  4. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    When I'm tailing the exim_mainlog I see a message similar to the following every few seconds..

    2005-12-30 04:12:00 1Es1K8-0004oj-KU ** suntalaakaash@domain.com R=virtual_aliases: no such address here


    BUT ... that email above gets stored in the mail queue even though that is NOT a real mailbox...
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It should indeed be shown in the 'for' section of the last Received header. Odd. Are those all the lines in exim_mainlog for 1Es1K8-0004oj-KU?
     
  6. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    root@koala [~]# tail -100000 /var/log/exim_mainlog | grep 1Es1K8-0004oj-KU
    2005-12-30 04:11:59 1Es1K8-0004oj-KU demime acl condition: base64 line length is not a multiple of 4 characters
    2005-12-30 04:11:59 1Es1K8-0004oj-KU <= <> H=reitdiep.demon.nl [212.238.241.152] P=smtp S=30825 id=0013$01cb34f5$04d950e2@Acer-laptop
    2005-12-30 04:12:00 1Es1K8-0004oj-KU ** suntalaakaash@domain.com R=virtual_aliases: no such address here
    2005-12-30 04:12:00 1Es1K8-0004oj-KU Frozen (delivery error message)
    2005-12-30 04:21:54 1Es1K8-0004oj-KU Message is frozen

    ...

    I totally don't get it ... for some reason this domain totally seems to ignore the :fail: :(
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Ah.

    That log snippet helps. Because of the use of the demime ACL it's not doing the recipient check until the DATA stage (i.e. when the message has already been received) instead of in the RCPT stage of the SMTP protocol. That's why it's ending up in the mail queue, because it's beyond the point where exim can deny delivery as the email has effectively been delivered. IF you were to remove those extra ACL's that you've added, it would probably work as it should.
     
  8. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    What extra ACL's ?? I don't think I have any ... plus it's only this domain that's not working properly
     
Loading...

Share This Page